Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24331

CSRF Protection for Platform

    XMLWordPrintable

    Details

    • Epic Link:
    • Tags:
    • Backlog priority:
      700
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      CSRF protection is activated by default and based on the CORS configuration and its allowOrigin and supportedMethods parameters, which by default doesn't allow any cross origin.

      To activate an insecure configuration that allows any cross origin, use:

      <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="corsConfig">
    <!-- THIS IS INSECURE -->
    <corsConfig name="insecure" allowOrigin="*" supportedMethods="GET,HEAD,OPTIONS,POST,PUT,DELETE" >
      <pattern>/.*</pattern>
    </corsConfig>
</extension>

      See https://doc.nuxeo.com/nxdoc/cross-origin-resource-sharing-cors/ for more.

      Show
      CSRF protection is activated by default and based on the CORS configuration and its allowOrigin and supportedMethods parameters, which by default doesn't allow any cross origin. To activate an insecure configuration that allows any cross origin, use: <extension target= "org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point= "corsConfig" > <!-- THIS IS INSECURE --> <corsConfig name= "insecure" allowOrigin= "*" supportedMethods= "GET,HEAD,OPTIONS,POST,PUT,DELETE" > <pattern> /.* </pattern> </corsConfig> </extension> See https://doc.nuxeo.com/nxdoc/cross-origin-resource-sharing-cors/ for more.
    • Sprint:
      nxcore 10.1.4, nxFG 10.1.1
    • Story Points:
      3

      Description

      Add CSRF protection for the platform.

      Add a flag to deactivate it for backports if clients aren't ready

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-25458 Edge / IE11 bad CSRF behavior

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NXP-25902 CSRF Token

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NXDOC-1564 Fix nuxeo-dev-tools incompatible out of the box with new CSRF policy on FireFox

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NXP-25903 CSRF Token for Platform

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXP-24828 Make the CSRF filter work with the Firefox Nuxeo browser extension

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NXP-19629 Allow configuration of frame options

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. BDE-133 Fix error message doesn't appear if dependencies are not matched

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          mentioned in

          Page Loading...

          Page Loading...

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 1 hour
                  1d 1h