Thanks a lot you very detailed information.

François


> Le 14 nov. 2016 à 09:25, Emond Papegaaij <emond.papega...@topicus.nl> a écrit 
> :
> 
> Hi François,
> 
> Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block 
> requests without an Origin and Referer header. The reason for this is that is 
> possible for an attacker to prevent a browser from sending a referer header 
> (for example with rel="noreferrer"). When you open a link in a new tab, your 
> browser probably does not send these headers and Wicket blocks the action-
> request.
> 
> You can configure this behavior in CsrfPreventionRequestCycleListener with 
> setNoOriginAction. As said, the default is 'ABORT'. If you set it to 
> 'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This 
> will open the new tab with the page containing the link. If you set it to 
> 'ALLOW', Wicket will allow the request, but this may undermine the protection 
> offered by CsrfPreventionRequestCycleListener.
> 
> If your link simply points to a different page, I'd recommend to use a 
> BookmarkablePageLink. A request to simply render a page will never be blocked 
> by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always 
> work. Naturaly for this to work, your target page needs to be bookmarkable.
> 
> You can also subclass CsrfPreventionRequestCycleListener and override 
> 'protected boolean isChecked(IRequestHandler handler)' to whitelist specific 
> requests. Perhaps you can tag safe links and skip checking those. This 
> solution offers you the most flexibility, but requires more work and you need 
> to be very precise in what requests to allow.
> 
> Best regards,
> Emond
> 
> 
> On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote:
>> Hi,
>> 
>> When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while
>> holding the command key does not open link in new tab. (Wicket 8.0.0-M2 /
>> OSX)
>> 
>> I get this error :
>> 
>> HTTP ERROR 400
>> Problem accessing /. Reason: Origin does not correspond to request
>> 
>> 
>> Clicking a BookmarkablePageLink is ok.
>> 
>> 
>> François
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to