Hi All,
I am seeing "unable to read csrf meta information" on IE edge (11) and chrome is working fine. Page keeps on loading and never completed loading.
If I access the publish urls without dispatcher IE11 pages loading fine. (all ajax calls triggered fine)
If I access the publish servers through dispatcher urls, IE11 pages not loading completely. ( some ajax service calls not triggered )
Why does the certain ajax calls are not triggered while on dispatcher ? ( every ajax request is going through same aem servlet ).
Thanks,
Sree
Views
Replies
Total Likes
From AEM 6.1, it introduced crf and for any post request it should have valid token. Verify your dispatcher.any & in filter allow for the same. Details at The Dispatcher Security Checklist
Just make sure, your http/https call is allowed at dispatcher level. As you know, most of the time, all JSON calls are denied at the dispatcher. So, let that filter be as it is and adds another filter to allow your call (token.json)
Source:- csrf url redirection
Views
Replies
Total Likes
kautuksahni : thank you for the replyl.
Just to give the background, application is migrated from AEM 6.1 to AEM 6.3 ( Environment : Windows 7 OS, IE11 browser).
On AEM 6.1, application does not have any issues through dispatcher url.
On AEM 6.3, when application accessed through dispatcher url:
AEM 6.3 not sending some of the ajax POST webservice requests to the backend server. ( all webservice requests are channeled through an AEM Servlet)
In dispatcher.any file, I do have the /libs/ .../csrf/* as allow in the filter section.
if I access, publish url directly, all ajax service calls are going through and I see the pages loading properly.
Do I need to add "CSRF-TOKEN" in clientheaders section of dispatcher.any file?
Do I need to have "CSRF-TOKEN" defined in application as some meta tag?
Could you please shed some light on this behavior ?
Views
Replies
Total Likes
Issue is happening with or without dispatcher. I am able to reproduce the issue on publisher instance.
how to get the csrf token and send while making an ajax call?
one of ajax post call is failing with "unable to read csrf meta information" and trying to get the code working.
appreciate any help. some pesudocode here:
getFundData: function(resortId, requestData) {
var fundPromise = $.Deferred();
$.ajax({
type: 'POST',
url: serviceUrl,
data: JSON.stringify(requestData),
dataType: 'json',
contentType : 'application/json',
success: function(response) {
fundPromise.resolve(response);
},
error : function(errorMsg) {
fundPromise.reject(errorMsg);
}
});
return fundPromise;
}
Views
Replies
Total Likes
This issue is happening due to csrf.js located in libs/grantie/jquery/granite path
In the following code for POST requests "this._csrf" value set to true and the following code goes to fail function which results in aborting ajax post calls.
could anyone from adobe staff can help ?
XMLHttpRequest.prototype.send = function(method) {
if (!this._csrf) {
send.apply(this, arguments);
return;
}
if (globalToken) {
this.setRequestHeader(HEADER_NAME, globalToken);
send.apply(this, arguments);
return;
}
var self = this;
var args = Array.prototype.slice.call(arguments);
promise.then(function(token) {
self.setRequestHeader(HEADER_NAME, token);
send.apply(self, args);
}, function() {
if (window.console) {
console.error('Unable to read CSRF meta information');
}
send.apply(self, args);
});
};
Views
Replies
Total Likes
Jörg Hoh Any help here?
Views
Replies
Total Likes
You need to allow /libs/granite/csrf/token.json as well as the CSRF-Token header in the dispatcher (The Dispatcher Security Checklist ).
For the CSRF token, if you are dependant on the granite.jquery clientlib, then it should be available by default. Else, you need to add granite.csrf.standalone dependency in your client library so as to enable the CSRF framework. More about this can be found here.
See The CSRF Protection Framework
Views
Replies
Total Likes
/csrf/token.json is allowed at dispatcher.any level
contexthub cart.json ajax post call is failing in the csrf.js.
For now , disabled contexthub, so there will bo no invalidstateerror and application ajax calls are executing.
Views
Replies
Total Likes
Go to publish OSGI console and make sure you have referrer (Apache referrer) configuration domain. it should be added here. Basically it needs domain name where you are POST request is coming. Try without any protocol e.g google.com, your-hostname.com
Just try and let me know.
Regards,
Jitendra
Views
Replies
Total Likes
Views
Likes
Replies