Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-59471

oauth servlets do not support "no-check" header for POST/PUT/DELETE requests

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Medium
    • None
    • 7.0.1
    • Server - Authentication
    • None

    Description

      Issue Summary

      Servlets require CSRF tokens for POST requests.

      But, at the same time, they do not support "no-check" headers, so it is impossible to send POST requests from JS code. 

      Steps to Reproduce

      1. Enable html macros in Confluence
      2. Add an html macro with JS script which sends POST request to <Base-URL>/plugins/servlet/oauth/authorize Note: "no-check" header should be enabled
      3. Navigate to the page

      Expected Results

      JS script should get an answer from the proxied resource

      Actual Results

      JS script returns "403 XSRF Token missing message"

      Notes

      (Optional - If Necessary)

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

      Attachments

        Issue Links

          is cloned from

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-59015 Servlets do not support "no-check" header for POST/PUT/DELETE requests

          • Medium - Medium priority issues
          • Gathering Impact

          Activity

            People

              Unassigned Unassigned
              haftab Hassan Aftab
              Votes:
              12 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated: