topic CSRF Filter with Chrome! in Alfresco Archive

CSRF Filter with Chrome!

t16 — Wed, 11 Feb 2015 18:35:27 GMT

Hi guys,Really simple problem here I hope…Ive configured the CSRF filter to work and allow requests from a reverse proxy, and all is well using the override code in share-custom-config…<config evaluator="string-compare" condition="CSRFPolicy" replace="true"> <properties> <token&g

Re: CSRF Filter with Chrome!

idwright — Thu, 24 Sep 2015 08:29:18 GMT

Have you made any progress with this?
(Also works in Firefox)

Thanks.

Re: CSRF Filter with Chrome!

thamilanga — Mon, 09 Nov 2015 17:50:10 GMT

Has anyone been able to resolve this?

Thanks

Re: CSRF Filter with Chrome!

vmayer — Wed, 13 Jul 2016 14:09:26 GMT

Hi folks,

we are having the exactly same problem here. We are using Alfresco Community 5.1 with Alfresco Share behind an nginx used as SSL offloader. The CSRF filter is triggered always when using Chrome (OSX, Linux, Windows) or Safari (OSX) or Chromium or Epiphany (both on Linux). The filter is not triggered (i.e. Share web access works) when using IE11 or Edge on Windows 10 respectively IE11 on Windows 7. There are also no problems with Firefox (OSX, Linux, Windows), so Firefox can be used as a workaround. Our working hypothesis is thus, that the problem is somehow tied to Webkit based browsers.

Can anybody confirm (or disprove) this hypothesis or can shed some more light on the issue?

Best regards, V. Mayer

Re: CSRF Filter with Chrome!

vmayer — Thu, 28 Jul 2016 13:50:18 GMT

Hi folks,

I just wanted to share my solution, even though I haven't explored further why this makes a difference. Below you can find a snippet from my share-config-custom.xml:


      <properties>

         <!– There is normally no need to override this property –>
         <token>Alfresco-CSRFToken</token>

         <!–
            Override and set this property with a regexp that if you have placed Share behind a proxy that
            does not rewrite the Referer header.
         –>
         <referer>https://myserver.mysld.tld/share/.*</referer>

         <!–
            Override and set this property with a regexp that if you have placed Share behind a proxy that
            does not rewrite the Origin header.
         –>
         <origin>https://myserver.mysld.tld</origin>
      </properties>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

It didn't work as described before, if there still was a trailing slash (or anything more than that) in the origin element. Initially I had the identical content in the origin element as the one in the referer element. After deleting everything after the server name including the slash in the URL within the origin element resulting in the snippet above, all problems were gone.

Best regards, V. Mayer