[NXP-24828] Make the CSRF filter work with the Firefox Nuxeo browser extension - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 10.1
Fix Version/s: 7.10-HF40, 8.10-HF28, 9.10-HF06, 10.2
Component/s: Security, Web API (REST or WS*), Web Common

Tags:
Browser:
- Chrome
- Firefox
Sprint:
nxFG 10.2.2, nxFG 10.2.3

Description

Since resolution of ~~NXP-24331~~, hot reload and other functionalities from the dev tools browser extension in Firefox are not available, with the following warnings displayed in server.log:

[NuxeoCorsCsrfFilter] CSRF check failure: source: moz-extension://b168a0e9-b1e5-4f9c-adef-77cbb980e2be does not match target: http://localhost:8080/ and not allowed by CORS config

Similar problems occur when using the Postman Chrome extension, which allows REST API testing.

We cannot allow "moz-extension://*" as an origin because * is not a legal hostname.

We should whitelist moz-extension and chrome-extension schemes in CORS filter to enable these extensions.

Attachments

Issue Links

is related to

NXP-24331 CSRF Protection for Platform

Resolved

BDE-113 Hide go to Studio project link when instance is not registered

Resolved

BDE-133 Fix error message doesn't appear if dependencies are not matched

Resolved

NXDOC-1564 Fix nuxeo-dev-tools incompatible out of the box with new CSRF policy on FireFox

Resolved

BDE-148 Add warning to README about FF bug in 10.1

Resolved

Activity

People

Assignee:

Florent Guillaume

Reporter:

Karin Touchie

Participants:

Florent Guillaume, Jenkins, Karin Touchie

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2018-04-10 14:23

Updated:

2018-05-23 11:48

Resolved:

2018-04-13 08:18

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: