Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
7.0.1
-
None
-
1
-
Severity 2 - Major
-
0
-
Description
Issue Summary
Servlets require CSRF tokens for POST requests.
But, at the same time, they do not support "no-check" headers, so it is impossible to send POST requests from JS code.
Steps to Reproduce
- Enable html macros in Confluence
- Add an html macro with JS script which sends POST request to <Base-URL>/plugins/servlet/oauth/authorize Note: "no-check" header should be enabled
- Navigate to the page
Expected Results
JS script should get an answer from the proxied resource
Actual Results
JS script returns "403 XSRF Token missing message"
Notes
(Optional - If Necessary)
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- is cloned from
-
CONFSERVER-59015 Servlets do not support "no-check" header for POST/PUT/DELETE requests
- Gathering Impact