Hi – I’ve been running into an issue recently and was hoping somebody might be able to help.
We have a Wicket application (8.17.0) in which we generate a PDF using a FileResourceStream and display in a new tab within the browser. We have a CsrfPreventionRequestCycleListener added to our WebApplication class for a specific origin: getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener().addAcceptedOrigin("<accepted origin>")); When the file is generated, the origin request header is not added to the request. If opening in a browser with the “Adobe Acrobat: PDF edit, convert, sign tools” extension enabled, the request is aborted and the PDF will not display. The below message is written to the logs: 2025-06-05 08:26:56,049 INFO o.a.w.p.h.CsrfPreventionRequestCycleListener [CsrfPreventionRequestCycleListener.java:779] Possible CSRF attack, request URL: <actual URL>, Origin: null, action: aborted with error 400 Origin does not correspond to request Below is the code for the link that generates the PDF for display in a new tab: Link<CustomDocument> downloadLink = new Link<CustomDocument>("downloadLink", getModel()) { @Override public void onClick() { FileResourceStream resourceStream = new FileResourceStream(new CustomDocumentFileLoadableModel(getModelObject().getId()).getObject()); getRequestCycle().scheduleRequestHandlerAfterCurrent(new ResourceStreamRequestHandler(resourceStream)); } }; I’m looking to either generate the file via a resource stream with the origin request header appended to the request or to exclude this particular request from being evaluated by the CsrfPreventionRequestCycleListener. To this point, I haven’t had any luck overriding isChecked(IRequestHandler handler) to handle this scenario. Thanks in advance for any guidance you can provide.