Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

CSRF filter path whitelisting is not working

Avatar

Level 2

Hi Experts,

it seems the excluded path is not working for me for CSRF filter.

I need to implement Google <AMP-consent> which requires a POST ajax call within AMP framework JS. I don't have control over that means cant add the CSRF@ token in the request header.

I have created sling servlet to the response that AJAX call. based on the page along with selector moreover that serverlet is binded using default sling servlet.

1) I checked direct post-call from third party client is working fine

2) but when there is XHR post call it fails (403 fails at CSRF filter)

3) I removed POST method form CSRF filter config and starts working all the way

4)but I cannot remove post Method entry on CSRF filter config due to the security matter.

5) I decided to whitelist the path using regex

my post call will be like === <domain>/<page Path>.ampconsent.html

Please suggest why CSRF filter path whitelisting is not working

I appreciate any help

bsloki  unknow

1541687_pastedImage_0.png

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Please try by excluding full paths like:

aanchalsikka_0-1713957241255.png

 

Same validated the configuration  with GraphQL queries...


Aanchal Sikka

View solution in original post

4 Replies

Avatar

Level 10

Are you making your POST Request using AEM JQUERY? See if the AEM docs help you -- The CSRF Protection Framework

Avatar

Level 2

Hi,

As I mentioned this Ajax post call is placed by Google AMP tag named "amp-consent"  used on the page. I belive it is using its own js library to make call hence there in no way to inject csrf related dependency.

I am aware when Ajax post call is placed using AEM JQuery then Csrf token thing will be taken care by itself.

Thanks,

Suresh

Avatar

Correct answer by
Community Advisor

Please try by excluding full paths like:

aanchalsikka_0-1713957241255.png

 

Same validated the configuration  with GraphQL queries...


Aanchal Sikka