Thanks a lot Martin! Will check as soon as I get back from vacation :) WBR, Maxim (from mobile, sorry for the typos)
On May 31, 2017 22:38, "Martin Grigorov" <mgrigo...@apache.org> wrote: > https://issues.apache.org/jira/browse/WICKET-6389 > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Tue, May 16, 2017 at 5:10 AM, Maxim Solodovnik <solomax...@gmail.com> > wrote: > > > I just have checked CsrfPreventionRequestCycleListener with overriden > > isChecked and it produces no errors > > > > I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :) > > > > On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mgrigo...@apache.org> > > wrote: > > > Hi Maxim, > > > > > > You can use > > > > > > getRequestCycleListeners().add(new CsrfPreventionRequestCycleList > ener() > > { > > > @Override > > > protected boolean isChecked(IRequestHandler handler) > > > { > > > if (handler instanceof WebSocketRequestHandler || handler instanceof > > > WebSocketMessageBroadcastHandler) { > > > return false; > > > } > > > return super.isChecked(handler); > > > } > > > }); > > > > > > > > > The upgrade request has a proper Origin header: > > > > > > > > > 1. Accept-Encoding: > > > gzip, deflate, sdch, br > > > 2. Accept-Language: > > > en-US,en;q=0.8,bg;q=0.6 > > > 3. Cache-Control: > > > no-cache > > > 4. Connection: > > > Upgrade > > > 5. Cookie: > > > .... > > > 6. DNT: > > > 1 > > > 7. Host: > > > localhost:8080 > > > 8. Origin: > > > http://localhost:8080 > > > 9. Pragma: > > > no-cache > > > 10. Sec-WebSocket-Extensions: > > > permessage-deflate; client_max_window_bits > > > 11. Sec-WebSocket-Key: > > > FcSNIsIh3HO95UGmMUA27g== > > > 12. Sec-WebSocket-Version: > > > 13 > > > 13. Upgrade: > > > websocket > > > 14. User-Agent: > > > Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like > Gecko) > > > Chrome/57.0.2987.110 Safari/537.36 > > > 15. > > > > > > But the following communication is via the WebSocket connection and the > > > packets there do not bring request headers. > > > Wicket Native WebSocket module creates WebSocketRequest for each WS > > message > > > and those do no have request headers, so they can be safely ignored. > > > Maybe we can introduce WebSocketAwareCsrfPreventionRe > questCycleListener > > in > > > wicket-native-websocket-core and recommend its usage when the app uses > > > WebSockets ?! > > > > > > Martin Grigorov > > > Wicket Training and Consulting > > > https://twitter.com/mtgrigorov > > > > > > On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik < > solomax...@gmail.com > > > > > > wrote: > > > > > >> Example project demonstrating it is here: > > >> https://github.com/solomax/ajax-download > > >> > > >> > > >> html with WebSocket.send: > > >> https://github.com/solomax/ajax-download/commit/ > > >> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff- > > >> 217ea4d3217197ce4ece382e050a7302R26 > > >> > > >> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik < > solomax...@gmail.com > > > > > >> wrote: > > >> > Thanks a lot for checking Martin, > > >> > > > >> > The issue seems to be caused by following code in *.html > (reproducible > > >> > using quickstart) > > >> > > > >> > <script type="text/javascript"> > > >> > $(function() { > > >> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, > > >> function() { > > >> > Wicket.WebSocket.send("socketConnected"); > > >> > }); > > >> > }); > > >> > </script> > > >> > > > >> > I guess I need to manually set missing headers in such call > > >> > > > >> > Can you please help to set necessary headers? > > >> > > > >> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov < > > mgrigo...@apache.org> > > >> wrote: > > >> >> Hi Maxim, > > >> >> > > >> >> Just adding getRequestCycleListeners().add(new > > >> >> CsrfPreventionRequestCycleListener()); > > >> >> to org.apache.wicket.examples.websocket.JSR356Application#init() > > >> doesn't > > >> >> lead to any error. > > >> >> > > >> >> Martin Grigorov > > >> >> Wicket Training and Consulting > > >> >> https://twitter.com/mtgrigorov > > >> >> > > >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik < > > solomax...@gmail.com > > >> > > > >> >> wrote: > > >> >> > > >> >>> Hello Martin, > > >> >>> > > >> >>> were you able to take a look at it? > > >> >>> I was hoping to have M6 with working Csrf+WebSockets .... > > >> >>> > > >> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik < > > >> solomax...@gmail.com> > > >> >>> wrote: > > >> >>> > Thanks a million, Martin :) > > >> >>> > > > >> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov < > > >> mgrigo...@apache.org> > > >> >>> wrote: > > >> >>> >> Hi Maxim, > > >> >>> >> > > >> >>> >> I don't use this combination. > > >> >>> >> But I will try to test it soon and see what can be done. > > >> >>> >> > > >> >>> >> Martin Grigorov > > >> >>> >> Wicket Training and Consulting > > >> >>> >> https://twitter.com/mtgrigorov > > >> >>> >> > > >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < > > >> >>> solomax...@gmail.com> > > >> >>> >> wrote: > > >> >>> >> > > >> >>> >>> Does anybody uses this filter? > > >> >>> >>> > > >> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < > > >> >>> solomax...@gmail.com> > > >> >>> >>> wrote: > > >> >>> >>> > Hello All, > > >> >>> >>> > > > >> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener > to > > our > > >> >>> >>> application > > >> >>> >>> > everything seems to work except for Websockets :( > > >> >>> >>> > > > >> >>> >>> > Now I'm getting > > >> >>> >>> > > > >> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] > > >> >>> >>> > org.apache.wicket.protocol.http. > > CsrfPreventionRequestCycleListener > > >> - > > >> >>> >>> > Possible CSRF attack, request URL: > > >> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket- > > >> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication, > > >> >>> >>> > Origin: null, action: aborted with error 400 Origin does not > > >> >>> >>> > correspond to request > > >> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] > > >> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An > HTTP > > >> error > > >> >>> >>> > response in WebSocket communication would not be processed > by > > the > > >> >>> >>> > browser! If you need to send the error code and message to > the > > >> client > > >> >>> >>> > then configure custom WebSocketResponse via > > >> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and > > >> override > > >> >>> >>> > #sendError() method to write them in an appropriate format > for > > >> your > > >> >>> >>> > application. The ignored error code is '400' and the > message: > > >> 'Origin > > >> >>> >>> > does not correspond to request'. > > >> >>> >>> > > > >> >>> >>> > in the logs ... > > >> >>> >>> > What should I do to set Origin for Websockets? > > >> >>> >>> > > > >> >>> >>> > -- > > >> >>> >>> > WBR > > >> >>> >>> > Maxim aka solomax > > >> >>> >>> > > >> >>> >>> > > >> >>> >>> > > >> >>> >>> -- > > >> >>> >>> WBR > > >> >>> >>> Maxim aka solomax > > >> >>> >>> > > >> >>> >>> ------------------------------------------------------------ > > >> --------- > > >> >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > >> >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org > > >> >>> >>> > > >> >>> >>> > > >> >>> > > > >> >>> > > > >> >>> > > > >> >>> > -- > > >> >>> > WBR > > >> >>> > Maxim aka solomax > > >> >>> > > >> >>> > > >> >>> > > >> >>> -- > > >> >>> WBR > > >> >>> Maxim aka solomax > > >> >>> > > >> >>> ------------------------------------------------------------ > > --------- > > >> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > >> >>> For additional commands, e-mail: users-h...@wicket.apache.org > > >> >>> > > >> >>> > > >> > > > >> > > > >> > > > >> > -- > > >> > WBR > > >> > Maxim aka solomax > > >> > > >> > > >> > > >> -- > > >> WBR > > >> Maxim aka solomax > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > >> For additional commands, e-mail: users-h...@wicket.apache.org > > >> > > >> > > > > > > > > -- > > WBR > > Maxim aka solomax > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > >