[NXDOC-1564] Fix nuxeo-dev-tools incompatible out of the box with new CSRF policy on FireFox - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: 7.10, 8.10, 9.10, 10.1
Fix Version/s: 7.10, 8.10, 9.10, 10.1, Fast Track (FT)
Component/s: Developer documentation
Environment:
Reproduced on Windows

Tags:
- nxftest
Browser:
- Firefox
Sprint:
FTEST - W14

Description

Since CSRF policy was tightened, il is necessary on a development environment, when using the nuxeo dev tools browsers extension, to loosen the default CSRF policy, otherwise the following messages appear on the platform console and server.log:

2018-04-09 09:35:38,005 WARN  [NuxeoCorsCsrfFilter] CSRF check failure: source: moz-extension://b168a0e9-b1e5-4f9c-adef-77cbb980e2be does not match target: http://localhost:8080/ and not allowed by CORS config
2018-04-09 09:35:38,050 WARN  [NuxeoCorsCsrfFilter] CSRF check failure: source: moz-extension://b168a0e9-b1e5-4f9c-adef-77cbb980e2be does not match target: http://localhost:8080/ and not allowed by CORS config
2018-04-09 09:35:38,075 WARN  [NuxeoCorsCsrfFilter] CSRF check failure: source: moz-extension://b168a0e9-b1e5-4f9c-adef-77cbb980e2be does not match target: http://localhost:8080/ and not allowed by CORS config

and the nuxeo-dev-tools says: "No Studio package found!"

A "correct" CSRF for nuxeo-dev-tools (stricter than just opening everything) should be documented for this particular case.

Attachments

Issue Links

is related to

NXP-24828 Make the CSRF filter work with the Firefox Nuxeo browser extension

Resolved

NXP-24331 CSRF Protection for Platform

Resolved

Activity

People

Assignee:

Karin Touchie

Reporter:

Patrick Abgrall

Participants:

Karin Touchie, Patrick Abgrall

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2018-04-09 07:47

Updated:

2018-04-10 16:33

Resolved:

2018-04-10 16:32

Time Tracking

Estimated:

Remaining:

Logged:

1h 20m