Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-59015

Servlets do not support "no-check" header for POST/PUT/DELETE requests

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • 7.2.2, 7.3.1
    • 6.6.15, 6.13.7, 6.14.4, 6.15.7, 7.0.1, 7.1.0
    • Platform - Application Links
    • None

      Issue Summary

      Servlets require CSRF tokens for POST/PUT/DELETE requests.

      But, at the same time, they do not support "no-check" headers, so it is impossible to send POST requests from JS code. 

      Environment

      (Optional - If Applicable)
      *
      *

      Steps to Reproduce

      1. Enable html macros in Confluence
      2. Add an html macro with JS script which sends POST request to <confluence-url>/plugins/servlet/applinks/proxy. Note: "no-check" header should be enabled
      3. Navigate to the page

      Expected Results

      JS script should get an answer from the proxied resource

      Actual Results

      JS script returns "403 XSRF Token missing message"

      Notes

      (Optional - If Necessary)

      Workaround

      Required, if there is no workaround please state:
      Currently there is no known workaround for this behavior. A workaround will be added here when available

              acarvalho@atlassian.com Adilson Carvalho (Inactive)
              glipatov George Lipatov
              Votes:
              12 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated: