[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019418#comment-17019418
 ] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

Here isthe solution for SetTimeZoneFromBrowser

{noformat}
diff --git themes/common-theme/webapp/common/js/util/setUserTimeZone.js 
themes/common-theme/webapp/common/js/util/setUserTimeZone.js
index 4c29928..340182f 100644
--- themes/common-theme/webapp/common/js/util/setUserTimeZone.js
+++ themes/common-theme/webapp/common/js/util/setUserTimeZone.js
@@ -24,6 +24,9 @@
     $.ajax({
         url: "SetTimeZoneFromBrowser",
         type: "POST",
+        beforeSend: function(xhr,settings) {
+            xhr.setRequestHeader("X-CSRF-Token", 
$("meta[name='csrf-token']").attr("content"));
+         },
         async: false,
         data: "localeName=" + timezone,
         error: function(error) {
{noformat}


> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)