[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019418#comment-17019418 ]
Jacques Le Roux commented on OFBIZ-11306: ----------------------------------------- Here isthe solution for SetTimeZoneFromBrowser {noformat} diff --git themes/common-theme/webapp/common/js/util/setUserTimeZone.js themes/common-theme/webapp/common/js/util/setUserTimeZone.js index 4c29928..340182f 100644 --- themes/common-theme/webapp/common/js/util/setUserTimeZone.js +++ themes/common-theme/webapp/common/js/util/setUserTimeZone.js @@ -24,6 +24,9 @@ $.ajax({ url: "SetTimeZoneFromBrowser", type: "POST", + beforeSend: function(xhr,settings) { + xhr.setRequestHeader("X-CSRF-Token", $("meta[name='csrf-token']").attr("content")); + }, async: false, data: "localeName=" + timezone, error: function(error) { {noformat} > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)