Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-19659

ezformtoken extension does not support AJAX / REST calls

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • None
    • 2012.8, 4.7.0-dev, 5.0.0-dev
    • Legacy > REST interface, Misc
    • None

    Description

      Web services protocols which use POST requests with data encoded in other formats than url-formencoded can not pass ezformtoken validation, because it only looks in $_POST for the token.

      It seems logical to support workarounds, such as checking for presence of the token as well in the query string or custom http header (rails f.e. supports both).

      Bibliography

      http://stackoverflow.com/questions/10719804/csrf-token-using
      https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
      http://stackoverflow.com/questions/1090244/rails-auth-token-and-ajax
      http://stackoverflow.com/questions/7203304/warning-cant-verify-csrf-token-authenticity-rails

      Attachments

        Activity

          People

            andre1 andre1
            72f8acac-185f-4a54-9470-a7473f50daab@accounts.ibexa.co Gaetano Giunta
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: