https://issues.apache.org/jira/browse/WICKET-6389
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, May 16, 2017 at 5:10 AM, Maxim Solodovnik <solomax...@gmail.com> wrote: > I just have checked CsrfPreventionRequestCycleListener with overriden > isChecked and it produces no errors > > I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :) > > On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mgrigo...@apache.org> > wrote: > > Hi Maxim, > > > > You can use > > > > getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() > { > > @Override > > protected boolean isChecked(IRequestHandler handler) > > { > > if (handler instanceof WebSocketRequestHandler || handler instanceof > > WebSocketMessageBroadcastHandler) { > > return false; > > } > > return super.isChecked(handler); > > } > > }); > > > > > > The upgrade request has a proper Origin header: > > > > > > 1. Accept-Encoding: > > gzip, deflate, sdch, br > > 2. Accept-Language: > > en-US,en;q=0.8,bg;q=0.6 > > 3. Cache-Control: > > no-cache > > 4. Connection: > > Upgrade > > 5. Cookie: > > .... > > 6. DNT: > > 1 > > 7. Host: > > localhost:8080 > > 8. Origin: > > http://localhost:8080 > > 9. Pragma: > > no-cache > > 10. Sec-WebSocket-Extensions: > > permessage-deflate; client_max_window_bits > > 11. Sec-WebSocket-Key: > > FcSNIsIh3HO95UGmMUA27g== > > 12. Sec-WebSocket-Version: > > 13 > > 13. Upgrade: > > websocket > > 14. User-Agent: > > Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > > Chrome/57.0.2987.110 Safari/537.36 > > 15. > > > > But the following communication is via the WebSocket connection and the > > packets there do not bring request headers. > > Wicket Native WebSocket module creates WebSocketRequest for each WS > message > > and those do no have request headers, so they can be safely ignored. > > Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener > in > > wicket-native-websocket-core and recommend its usage when the app uses > > WebSockets ?! > > > > Martin Grigorov > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <solomax...@gmail.com > > > > wrote: > > > >> Example project demonstrating it is here: > >> https://github.com/solomax/ajax-download > >> > >> > >> html with WebSocket.send: > >> https://github.com/solomax/ajax-download/commit/ > >> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff- > >> 217ea4d3217197ce4ece382e050a7302R26 > >> > >> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <solomax...@gmail.com > > > >> wrote: > >> > Thanks a lot for checking Martin, > >> > > >> > The issue seems to be caused by following code in *.html (reproducible > >> > using quickstart) > >> > > >> > <script type="text/javascript"> > >> > $(function() { > >> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, > >> function() { > >> > Wicket.WebSocket.send("socketConnected"); > >> > }); > >> > }); > >> > </script> > >> > > >> > I guess I need to manually set missing headers in such call > >> > > >> > Can you please help to set necessary headers? > >> > > >> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov < > mgrigo...@apache.org> > >> wrote: > >> >> Hi Maxim, > >> >> > >> >> Just adding getRequestCycleListeners().add(new > >> >> CsrfPreventionRequestCycleListener()); > >> >> to org.apache.wicket.examples.websocket.JSR356Application#init() > >> doesn't > >> >> lead to any error. > >> >> > >> >> Martin Grigorov > >> >> Wicket Training and Consulting > >> >> https://twitter.com/mtgrigorov > >> >> > >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik < > solomax...@gmail.com > >> > > >> >> wrote: > >> >> > >> >>> Hello Martin, > >> >>> > >> >>> were you able to take a look at it? > >> >>> I was hoping to have M6 with working Csrf+WebSockets .... > >> >>> > >> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik < > >> solomax...@gmail.com> > >> >>> wrote: > >> >>> > Thanks a million, Martin :) > >> >>> > > >> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov < > >> mgrigo...@apache.org> > >> >>> wrote: > >> >>> >> Hi Maxim, > >> >>> >> > >> >>> >> I don't use this combination. > >> >>> >> But I will try to test it soon and see what can be done. > >> >>> >> > >> >>> >> Martin Grigorov > >> >>> >> Wicket Training and Consulting > >> >>> >> https://twitter.com/mtgrigorov > >> >>> >> > >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < > >> >>> solomax...@gmail.com> > >> >>> >> wrote: > >> >>> >> > >> >>> >>> Does anybody uses this filter? > >> >>> >>> > >> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < > >> >>> solomax...@gmail.com> > >> >>> >>> wrote: > >> >>> >>> > Hello All, > >> >>> >>> > > >> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to > our > >> >>> >>> application > >> >>> >>> > everything seems to work except for Websockets :( > >> >>> >>> > > >> >>> >>> > Now I'm getting > >> >>> >>> > > >> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] > >> >>> >>> > org.apache.wicket.protocol.http. > CsrfPreventionRequestCycleListener > >> - > >> >>> >>> > Possible CSRF attack, request URL: > >> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket- > >> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication, > >> >>> >>> > Origin: null, action: aborted with error 400 Origin does not > >> >>> >>> > correspond to request > >> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] > >> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP > >> error > >> >>> >>> > response in WebSocket communication would not be processed by > the > >> >>> >>> > browser! If you need to send the error code and message to the > >> client > >> >>> >>> > then configure custom WebSocketResponse via > >> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and > >> override > >> >>> >>> > #sendError() method to write them in an appropriate format for > >> your > >> >>> >>> > application. The ignored error code is '400' and the message: > >> 'Origin > >> >>> >>> > does not correspond to request'. > >> >>> >>> > > >> >>> >>> > in the logs ... > >> >>> >>> > What should I do to set Origin for Websockets? > >> >>> >>> > > >> >>> >>> > -- > >> >>> >>> > WBR > >> >>> >>> > Maxim aka solomax > >> >>> >>> > >> >>> >>> > >> >>> >>> > >> >>> >>> -- > >> >>> >>> WBR > >> >>> >>> Maxim aka solomax > >> >>> >>> > >> >>> >>> ------------------------------------------------------------ > >> --------- > >> >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >> >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org > >> >>> >>> > >> >>> >>> > >> >>> > > >> >>> > > >> >>> > > >> >>> > -- > >> >>> > WBR > >> >>> > Maxim aka solomax > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> WBR > >> >>> Maxim aka solomax > >> >>> > >> >>> ------------------------------------------------------------ > --------- > >> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >> >>> For additional commands, e-mail: users-h...@wicket.apache.org > >> >>> > >> >>> > >> > > >> > > >> > > >> > -- > >> > WBR > >> > Maxim aka solomax > >> > >> > >> > >> -- > >> WBR > >> Maxim aka solomax > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >> For additional commands, e-mail: users-h...@wicket.apache.org > >> > >> > > > > -- > WBR > Maxim aka solomax > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >