[
https://issues.jenkins-ci.org/browse/JENKINS-7518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160078#comment-160078
]
mdp commented on JENKINS-7518:
------------------------------
nginx by default disallows some characters in header names that the HTTP
specification allows:
http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
'.' is one of them, so the .crumb header gets filtered out.
This can be turned off as per the linked page - worth noting in documentation
(in crumb issuer configuration help?).
But maybe switching to a more compatible header (x-jenkins-crumb?) would be a
safer choice?
> CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx
> proxies
> -------------------------------------------------------------------------------------
>
> Key: JENKINS-7518
> URL: https://issues.jenkins-ci.org/browse/JENKINS-7518
> Project: Jenkins
> Issue Type: Bug
> Components: core
> Affects Versions: current
> Environment: Platform: All, OS: All
> Reporter: cap10morgan
> Assignee: Dean Yu
> Fix For: current
>
>
> Hudson: 1.310-SNAPSHOT (svn trunk)
> I checked "Prevent Cross Site Request Forgery exploits", then ajax request
> like
> ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".
> I use Hudson installation behind some proxies.
> In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
> used to update MessageDigest. but it will return diffrent IP behind proxies
> each
> request.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
