Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-24331

CSRF Protection for Platform

    XMLWordPrintable

    Details

    • Backlog priority:
      700
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      CSRF protection is activated by default and based on the CORS configuration and its allowOrigin and supportedMethods parameters, which by default doesn't allow any cross origin.

      To activate an insecure configuration that allows any cross origin, use:

      <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="corsConfig">
          <!-- THIS IS INSECURE -->
          <corsConfig name="insecure" allowOrigin="*" supportedMethods="GET,HEAD,OPTIONS,POST,PUT,DELETE" >
            <pattern>/.*</pattern>
          </corsConfig>
      </extension>
      

      See https://doc.nuxeo.com/nxdoc/cross-origin-resource-sharing-cors/ for more.

      Show
      CSRF protection is activated by default and based on the CORS configuration and its allowOrigin and supportedMethods parameters, which by default doesn't allow any cross origin. To activate an insecure configuration that allows any cross origin, use: <extension target= "org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point= "corsConfig" > <!-- THIS IS INSECURE --> <corsConfig name= "insecure" allowOrigin= "*" supportedMethods= "GET,HEAD,OPTIONS,POST,PUT,DELETE" > <pattern> /.* </pattern> </corsConfig> </extension> See https://doc.nuxeo.com/nxdoc/cross-origin-resource-sharing-cors/ for more.
    • Sprint:
      nxcore 10.1.4, nxFG 10.1.1
    • Story Points:
      3

      Description

      Add CSRF protection for the platform.

      Add a flag to deactivate it for backports if clients aren't ready

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 1 hour
                  1d 1h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.