[NXP-25458] Edge / IE11 bad CSRF behavior - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 7.10-HF38, 8.10-HF25, 9.10-HF03, 10.1
Fix Version/s: 7.10-HF44, 8.10-HF35, 9.10-HF14, 10.3
Component/s: Authentication, Web API (REST or WS*), Web Common

Tags:
- SupCom
- noRNS
- nxFG
Backlog priority:
1,000
Browser:
- Edge
- IE11
Sprint:
nxFG 10.3.2
Story Points:
3

Description

Edge and IE11 does not send Origin header on FORM POST, preventing Nuxeo to be connected with Azure SAML ( and maybe other bad behavior )

The issue is known and confirmed:
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10482384/

As we cannot rely on Microsoft ability to fix their issue, we need to provide a workaround

The Headers sent are Referer, so we could in case of those agents and no Origin header based our decision on the Referer header

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

cors.png
2018-07-20 18:21
46 kB
Rémi Cattiau

Issue Links

is related to

BDE-156 Can't hotreload in chrome with 9.10-HF15

Resolved

NXP-24331 CSRF Protection for Platform

Resolved

Activity

People

Assignee:

Florent Guillaume

Reporter:

Rémi Cattiau

Participants:

Florent Guillaume, Jenkins, Nelson Silva, Rémi Cattiau

Votes:

1 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

2018-07-20 18:18

Updated:

2018-10-10 12:50

Resolved:

2018-08-01 12:04

Time Tracking

Estimated:

Not Specified

Remaining:

0m

Logged:

1h