Expand my Community achievements bar.

SOLVED

CSRF filter path whitelisting is not working

Avatar

Level 2
Level 2
8/4/18 12:04:18 AM

Hi Experts,

it seems the excluded path is not working for me for CSRF filter.

I need to implement Google <AMP-consent> which requires a POST ajax call within AMP framework JS. I don't have control over that means cant add the CSRF@ token in the request header.

I have created sling servlet to the response that AJAX call. based on the page along with selector moreover that serverlet is binded using default sling servlet.

1) I checked direct post-call from third party client is working fine

2) but when there is XHR post call it fails (403 fails at CSRF filter)

3) I removed POST method form CSRF filter config and starts working all the way

4)but I cannot remove post Method entry on CSRF filter config due to the security matter.

5) I decided to whitelist the path using regex

my post call will be like === <domain>/<page Path>.ampconsent.html

Please suggest why CSRF filter path whitelisting is not working

I appreciate any help

bsloki  unknow

1541687_pastedImage_0.png

Views

1.9K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
4/24/24 4:14:51 AM

Please try by excluding full paths like:

aanchalsikka_0-1713957241255.png

 

Same validated the configuration  with GraphQL queries...

Aanchal Sikka

View solution in original post

Views

343

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 10
Level 10
8/4/18 9:40:19 AM

Are you making your POST Request using AEM JQUERY? See if the AEM docs help you -- The CSRF Protection Framework

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/5/18 1:36:14 AM

Hi,

As I mentioned this Ajax post call is placed by Google AMP tag named "amp-consent"  used on the page. I belive it is using its own js library to make call hence there in no way to inject csrf related dependency.

I am aware when Ajax post call is placed using AEM JQuery then Csrf token thing will be taken care by itself.

Thanks,

Suresh

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
4/24/24 4:14:51 AM

Please try by excluding full paths like:

aanchalsikka_0-1713957241255.png

 

Same validated the configuration  with GraphQL queries...

Aanchal Sikka

Views

344

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Sling filters - what's the modern equivalent to org.apache.felix.scr.annotations.sling.SlingFilter?

Views

44

Likes

0

Replies

2
The dynamic table previews correctly in HTML, but when converted to PDF, the page is cut off.

Views

153

Likes

0

Replies

4
what is the difference between com.day.cq.workflow and com.adobe.granite.workflow?

Views

84

Likes

0

Replies

2
AEM 6.4 to 6.5 upgrade - Core Image component not working

Views

95

Likes

0

Replies

2
Redirection is not working in Dispatcher Environment

Views

116

Likes

0

Replies

5