Servlets do not support "no-check" header for POST/PUT/DELETE requests

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Medium
    • 7.2.2, 7.3.1
    • Affects Version/s: 6.6.15, 6.13.7, 6.14.4, 6.15.7, 7.0.1, 7.1.0
    • Component/s: Platform - Application Links
    • None
    • 5
    • Severity 2 - Major
    • 2

      Issue Summary

      Servlets require CSRF tokens for POST/PUT/DELETE requests.

      But, at the same time, they do not support "no-check" headers, so it is impossible to send POST requests from JS code. 

      Environment

      (Optional - If Applicable)
      *
      *

      Steps to Reproduce

      1. Enable html macros in Confluence
      2. Add an html macro with JS script which sends POST request to <confluence-url>/plugins/servlet/applinks/proxy. Note: "no-check" header should be enabled
      3. Navigate to the page

      Expected Results

      JS script should get an answer from the proxied resource

      Actual Results

      JS script returns "403 XSRF Token missing message"

      Notes

      (Optional - If Necessary)

      Workaround

      Required, if there is no workaround please state:
      Currently there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Adilson Carvalho (Inactive)
            Reporter:
            George Lipatov
            Votes:
            12 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated: