Adobe Experience Manager Sites & More

kautuksahni​ : thank you for the replyl.

Just to give the background, application is migrated from AEM 6.1 to AEM 6.3 ( Environment : Windows 7 OS, IE11 browser).

On AEM 6.1, application does not have any issues through dispatcher url.

On AEM 6.3, when application accessed through dispatcher url:

AEM 6.3 not sending some of the ajax POST webservice requests to the backend server. ( all webservice requests are channeled through an AEM Servlet)

In dispatcher.any file, I do have the /libs/ .../csrf/* as allow in the filter section.

if I access, publish url directly, all ajax service calls are going through and I see the pages loading properly.

Do I need to add "CSRF-TOKEN" in clientheaders section of dispatcher.any file?

Do I need to have "CSRF-TOKEN" defined in application as some meta tag?

Could you please shed some light on this behavior ?

Issue is happening with or without dispatcher. I am able to reproduce the issue on publisher instance.

how to get the csrf token and send while making an ajax call?

one of ajax post call is failing with "unable to read csrf meta information" and trying to get the code working.

appreciate any help. some pesudocode here:

getFundData: function(resortId, requestData) {

        var fundPromise = $.Deferred();

        $.ajax({

            type: 'POST',

            url: serviceUrl,

            data: JSON.stringify(requestData),

            dataType: 'json',

            contentType : 'application/json',

            success: function(response) {

                fundPromise.resolve(response);

            },

            error : function(errorMsg) {

                fundPromise.reject(errorMsg);

            }

        });

        return fundPromise;

    }

This issue is happening due to csrf.js located in libs/grantie/jquery/granite path

In the following code for POST requests "this._csrf" value set to true and the following code goes to fail function which results in aborting ajax post calls.

could anyone from adobe staff can help ?

XMLHttpRequest.prototype.send = function(method) {

        if (!this._csrf) {

            send.apply(this, arguments);

            return;

        }

        if (globalToken) {

            this.setRequestHeader(HEADER_NAME, globalToken);

            send.apply(this, arguments);

            return;

        }

        var self = this;

        var args = Array.prototype.slice.call(arguments);

        promise.then(function(token) {

self.setRequestHeader(HEADER_NAME, token);

send.apply(self, args);

        }, function() {

            if (window.console) {

                console.error('Unable to read CSRF meta information');

            }

send.apply(self, args);

        });

    };

Jörg Hoh​ Any help here?

Kautuk Sahni

You need to allow /libs/granite/csrf/token.json as well as the CSRF-Token header in the dispatcher (The Dispatcher Security Checklist ).

For the CSRF token, if you are dependant on the granite.jquery clientlib, then it should be available by default. Else, you need to add granite.csrf.standalone dependency in your client library so as to enable the CSRF framework. More about this can be found here.

See The CSRF Protection Framework

Kautuk Sahni

/csrf/token.json is allowed at dispatcher.any level

contexthub cart.json ajax post call is failing in the csrf.js.

For now , disabled contexthub, so there will bo no invalidstateerror and application ajax calls are executing.

sreenu539​,

Go to publish OSGI console and make sure you have referrer (Apache referrer) configuration domain. it should be added here. Basically it needs domain name where you are POST request is coming. Try without any protocol e.g google.com, your-hostname.com

Just try and let me know.

Regards,

Jitendra