You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Francois Meillet <fr...@gmail.com> on 2016/11/13 17:33:52 UTC
CsrfPreventionRequestCycleListener Link 400
Hi,
When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while holding the command key does not open link in new tab.
(Wicket 8.0.0-M2 / OSX)
I get this error :
HTTP ERROR 400
Problem accessing /. Reason: Origin does not correspond to request
Clicking a BookmarkablePageLink is ok.
François
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CsrfPreventionRequestCycleListener Link 400
Posted by Francois Meillet <fr...@gmail.com>.
Thanks a lot you very detailed information.
François
> Le 14 nov. 2016 à 09:25, Emond Papegaaij <em...@topicus.nl> a écrit :
>
> Hi François,
>
> Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block
> requests without an Origin and Referer header. The reason for this is that is
> possible for an attacker to prevent a browser from sending a referer header
> (for example with rel="noreferrer"). When you open a link in a new tab, your
> browser probably does not send these headers and Wicket blocks the action-
> request.
>
> You can configure this behavior in CsrfPreventionRequestCycleListener with
> setNoOriginAction. As said, the default is 'ABORT'. If you set it to
> 'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This
> will open the new tab with the page containing the link. If you set it to
> 'ALLOW', Wicket will allow the request, but this may undermine the protection
> offered by CsrfPreventionRequestCycleListener.
>
> If your link simply points to a different page, I'd recommend to use a
> BookmarkablePageLink. A request to simply render a page will never be blocked
> by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always
> work. Naturaly for this to work, your target page needs to be bookmarkable.
>
> You can also subclass CsrfPreventionRequestCycleListener and override
> 'protected boolean isChecked(IRequestHandler handler)' to whitelist specific
> requests. Perhaps you can tag safe links and skip checking those. This
> solution offers you the most flexibility, but requires more work and you need
> to be very precise in what requests to allow.
>
> Best regards,
> Emond
>
>
> On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote:
>> Hi,
>>
>> When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while
>> holding the command key does not open link in new tab. (Wicket 8.0.0-M2 /
>> OSX)
>>
>> I get this error :
>>
>> HTTP ERROR 400
>> Problem accessing /. Reason: Origin does not correspond to request
>>
>>
>> Clicking a BookmarkablePageLink is ok.
>>
>>
>> François
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CsrfPreventionRequestCycleListener Link 400
Posted by Emond Papegaaij <em...@topicus.nl>.
Hi François,
Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block
requests without an Origin and Referer header. The reason for this is that is
possible for an attacker to prevent a browser from sending a referer header
(for example with rel="noreferrer"). When you open a link in a new tab, your
browser probably does not send these headers and Wicket blocks the action-
request.
You can configure this behavior in CsrfPreventionRequestCycleListener with
setNoOriginAction. As said, the default is 'ABORT'. If you set it to
'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This
will open the new tab with the page containing the link. If you set it to
'ALLOW', Wicket will allow the request, but this may undermine the protection
offered by CsrfPreventionRequestCycleListener.
If your link simply points to a different page, I'd recommend to use a
BookmarkablePageLink. A request to simply render a page will never be blocked
by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always
work. Naturaly for this to work, your target page needs to be bookmarkable.
You can also subclass CsrfPreventionRequestCycleListener and override
'protected boolean isChecked(IRequestHandler handler)' to whitelist specific
requests. Perhaps you can tag safe links and skip checking those. This
solution offers you the most flexibility, but requires more work and you need
to be very precise in what requests to allow.
Best regards,
Emond
On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote:
> Hi,
>
> When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while
> holding the command key does not open link in new tab. (Wicket 8.0.0-M2 /
> OSX)
>
> I get this error :
>
> HTTP ERROR 400
> Problem accessing /. Reason: Origin does not correspond to request
>
>
> Clicking a BookmarkablePageLink is ok.
>
>
> François
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org