Hi Tim,
Not exactly. But i added the path to the plugin into the <request> section
(<PathAndQuery>^/%BASE_VDIR%/PlugIns/MyPluginFolder/</PathAndQuery>).
Because if I start the plugin via user-defined job (URL) no referrer is
send.
<!--
The following represents the CSRF request whitelist.
This is a list of regular expressions applied to the path
and query portion of request URIs in order to exclude these
requests from the regular Anti-CSRF request validation.
-->
Am Donnerstag, 27. Februar 2014 15:06:58 UTC+1 schrieb Tim D:
>
> Pierre,
>
> Looking in a local main.config there is this section
>
> <Referrer>
> <!--
> The following exemplary entry would consider requests from an
> Authority (host and port) that matches the regular expression
> "^my\.test\.host$" as legal.
>
> The path and query portion of the referrer would not be
> considered for the validation.
> -->
> <!--
> <TrustedReferrer>
> <Authority>^my\.test\.host$</Authority>
> </TrustedReferrer>
> -->
>
> <!--
> The following exemplary entry would consider requests from an
> Authority (host and port) that matches the regular expression
> "^my\.test\.host$" as legal, that also match the regular
> expression "^/my/test/path/" on the path and query portion
> of the referrer Uri.
> -->
> <!--
> <TrustedReferrer>
> <Authority>^my\.test\.host$</Authority>
> <PathAndQuery>^/my/test/path/</PathAndQuery>
> </TrustedReferrer>
> -->
> </Referrer>
>
> If you add the host that matches yours and the path to your plugin like
> this does it correct the issue?
>
> On Tuesday, February 25, 2014 10:47:27 PM UTC-5, Tim D wrote:
>>
>> Well perhaps OT and not StackOverflow is right. Worth sharing with the
>> person at OT who gave you that feedback :-)
>>
>> The guidelines for CSRF protection are from OWASP, perhaps this offers
>> insite into the setting you want.
>>
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_The_Referer_Header
>> https://www.owasp.org/index.php/.Net_CSRF_Guard
>>
>> On Tuesday, February 25, 2014 10:29:57 AM UTC-5, Pierre Kruppik wrote:
>>>
>>> This is one of the proposed solutions from OpenText (
>>> https://groups.google.com/forum/#!topic/reddot-cms-users/rDJFB_z8DbM)
>>> Are you saying OpenText lying? :P
>>>
>>> I would do anything in SmartEdit. I will open a URL via the user-defined
>>> job to execute a plugin periodically. I think the only solution is to
>>> exclude the destination URL from referrer check in the main.config.
>>>
>>> Am Dienstag, 25. Februar 2014 15:02:18 UTC+1 schrieb Tim D:
>>>>
>>>> No it won't work:
>>>> http://stackoverflow.com/questions/7922518/set-referer-header-in-asp-net
>>>>
>>>>
>>>> You want the host? How about setting a cookie with JavaScript in your
>>>> pages in SmartEdit and read that instead of referer?
>>>>
>>>> On Monday, February 24, 2014 6:15:45 AM UTC-5, Pierre Kruppik wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>> Since security-raled changes (CSRF) it is not possible to execute a
>>>>> plugin using a user-defined job (call url). I just added the referer to
>>>>> the
>>>>> header of my plugin, but it doesnt works.
>>>>>
>>>>> <%
>>>>> Response.AddHeader "Referer","http://myhost/cms/";
>>>>> %>
>>>>>
>>>>> Are there any restrictions in the IIS?
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pierre
>>>>>
>>>>>
>>>>>
--
You received this message because you are subscribed to the Google Groups
"RedDot CMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/reddot-cms-users.
For more options, visit https://groups.google.com/groups/opt_out.
