Adobe Experience Manager Sites & More

Guptasuresh2004 · 8/4/18

Hi Experts,

it seems the excluded path is not working for me for CSRF filter.

I need to implement Google <AMP-consent> which requires a POST ajax call within AMP framework JS. I don't have control over that means cant add the CSRF@ token in the request header.

I have created sling servlet to the response that AJAX call. based on the page along with selector moreover that serverlet is binded using default sling servlet.

1) I checked direct post-call from third party client is working fine

2) but when there is XHR post call it fails (403 fails at CSRF filter)

3) I removed POST method form CSRF filter config and starts working all the way

4)but I cannot remove post Method entry on CSRF filter config due to the security matter.

5) I decided to whitelist the path using regex

my post call will be like === <domain>/<page Path>.ampconsent.html

Please suggest why CSRF filter path whitelisting is not working

I appreciate any help

bsloki unknow

aanchal-sikka · 4/24/24

Please try by excluding full paths like:

Same validated the configuration with GraphQL queries...

Aanchal Sikka

View solution in original post

smacdonald2008 · 8/4/18

Are you making your POST Request using AEM JQUERY? See if the AEM docs help you -- The CSRF Protection Framework

Guptasuresh2004 · 8/5/18

Hi,

As I mentioned this Ajax post call is placed by Google AMP tag named "amp-consent" used on the page. I belive it is using its own js library to make call hence there in no way to inject csrf related dependency.

I am aware when Ajax post call is placed using AEM JQuery then Csrf token thing will be taken care by itself.

Thanks,

Suresh

Guptasuresh2004 · 8/5/18

request Logs:

aanchal-sikka · 4/24/24

Please try by excluding full paths like:

Same validated the configuration with GraphQL queries...

Aanchal Sikka

Adobe Experience Manager Sites & More

CSRF filter path whitelisting is not working

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe