In my application CSRF protection is implemented in RPCManager.transformRequest. It adds XSRF header to all request. This works in all cases except for file uploads.
It looks like file upload request generate additional request bypassing RPCManager.transformRequest or overwriting the headers.
I don't want to add _csrf token to URL using RPCManager.setActionURL(), this is not in line with our organization's security policy.
Another solution, less secure than custom headers but also acceptable, could be to add a hidden element to the form.
Unfortunately I can't find any way to do it this way.
html should look like this:
<form action="..." method="post">
<input type="FILE" name="fileName" .... >
<input type="hidden" name="_csrf" value="3333333-4444-5555-6666-0872128000000" />
Unfortunately we still use 4.1 . I expect the same problem in the current version.
It looks like file upload request generate additional request bypassing RPCManager.transformRequest or overwriting the headers.
I don't want to add _csrf token to URL using RPCManager.setActionURL(), this is not in line with our organization's security policy.
Another solution, less secure than custom headers but also acceptable, could be to add a hidden element to the form.
Unfortunately I can't find any way to do it this way.
html should look like this:
<form action="..." method="post">
<input type="FILE" name="fileName" .... >
<input type="hidden" name="_csrf" value="3333333-4444-5555-6666-0872128000000" />
Unfortunately we still use 4.1 . I expect the same problem in the current version.
Comment