Hi Maxim,

You can use

getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {
@Override
protected boolean isChecked(IRequestHandler handler)
{
if (handler instanceof WebSocketRequestHandler || handler instanceof
WebSocketMessageBroadcastHandler) {
return false;
}
return super.isChecked(handler);
}
});


The upgrade request has a proper Origin header:


   1. Accept-Encoding:
   gzip, deflate, sdch, br
   2. Accept-Language:
   en-US,en;q=0.8,bg;q=0.6
   3. Cache-Control:
   no-cache
   4. Connection:
   Upgrade
   5. Cookie:
   ....
   6. DNT:
   1
   7. Host:
   localhost:8080
   8. Origin:
   http://localhost:8080
   9. Pragma:
   no-cache
   10. Sec-WebSocket-Extensions:
   permessage-deflate; client_max_window_bits
   11. Sec-WebSocket-Key:
   FcSNIsIh3HO95UGmMUA27g==
   12. Sec-WebSocket-Version:
   13
   13. Upgrade:
   websocket
   14. User-Agent:
   Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
   Chrome/57.0.2987.110 Safari/537.36
   15.

But the following communication is via the WebSocket connection and the
packets there do not bring request headers.
Wicket Native WebSocket module creates WebSocketRequest for each WS message
and those do no have request headers, so they can be safely ignored.
Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in
wicket-native-websocket-core and recommend its usage when the app uses
WebSockets ?!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <solomax...@gmail.com>
wrote:

> Example project demonstrating it is here:
> https://github.com/solomax/ajax-download
>
>
> html with WebSocket.send:
> https://github.com/solomax/ajax-download/commit/
> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff-
> 217ea4d3217197ce4ece382e050a7302R26
>
> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <solomax...@gmail.com>
> wrote:
> > Thanks a lot for checking Martin,
> >
> > The issue seems to be caused by following code in *.html (reproducible
> > using quickstart)
> >
> > <script type="text/javascript">
> > $(function() {
> >   Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened,
> function() {
> >     Wicket.WebSocket.send("socketConnected");
> >   });
> > });
> > </script>
> >
> > I guess I need to manually set missing headers in such call
> >
> > Can you please help to set necessary headers?
> >
> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mgrigo...@apache.org>
> wrote:
> >> Hi Maxim,
> >>
> >> Just adding getRequestCycleListeners().add(new
> >> CsrfPreventionRequestCycleListener());
> >> to org.apache.wicket.examples.websocket.JSR356Application#init()
> doesn't
> >> lead to any error.
> >>
> >> Martin Grigorov
> >> Wicket Training and Consulting
> >> https://twitter.com/mtgrigorov
> >>
> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <solomax...@gmail.com
> >
> >> wrote:
> >>
> >>> Hello Martin,
> >>>
> >>> were you able to take a look at it?
> >>> I was hoping to have M6 with working Csrf+WebSockets ....
> >>>
> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <
> solomax...@gmail.com>
> >>> wrote:
> >>> > Thanks a million, Martin :)
> >>> >
> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <
> mgrigo...@apache.org>
> >>> wrote:
> >>> >> Hi Maxim,
> >>> >>
> >>> >> I don't use this combination.
> >>> >> But I will try to test it soon and see what can be done.
> >>> >>
> >>> >> Martin Grigorov
> >>> >> Wicket Training and Consulting
> >>> >> https://twitter.com/mtgrigorov
> >>> >>
> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
> >>> solomax...@gmail.com>
> >>> >> wrote:
> >>> >>
> >>> >>> Does anybody uses this filter?
> >>> >>>
> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
> >>> solomax...@gmail.com>
> >>> >>> wrote:
> >>> >>> > Hello All,
> >>> >>> >
> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
> >>> >>> application
> >>> >>> > everything seems to work except for Websockets :(
> >>> >>> >
> >>> >>> > Now I'm getting
> >>> >>> >
> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
> >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener
> -
> >>> >>> > Possible CSRF attack, request URL:
> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> >>> >>> > Origin: null, action: aborted with error 400 Origin does not
> >>> >>> > correspond to request
> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP
> error
> >>> >>> > response in WebSocket communication would not be processed by the
> >>> >>> > browser! If you need to send the error code and message to the
> client
> >>> >>> > then configure custom WebSocketResponse via
> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and
> override
> >>> >>> > #sendError() method to write them in an appropriate format for
> your
> >>> >>> > application. The ignored error code is '400' and the message:
> 'Origin
> >>> >>> > does not correspond to request'.
> >>> >>> >
> >>> >>> > in the logs ...
> >>> >>> > What should I do to set Origin for Websockets?
> >>> >>> >
> >>> >>> > --
> >>> >>> > WBR
> >>> >>> > Maxim aka solomax
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>> --
> >>> >>> WBR
> >>> >>> Maxim aka solomax
> >>> >>>
> >>> >>> ------------------------------------------------------------
> ---------
> >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org
> >>> >>>
> >>> >>>
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > WBR
> >>> > Maxim aka solomax
> >>>
> >>>
> >>>
> >>> --
> >>> WBR
> >>> Maxim aka solomax
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >>> For additional commands, e-mail: users-h...@wicket.apache.org
> >>>
> >>>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Reply via email to