Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-10791

Firefox does not send CSRF cookie if initial request comes from a cross-origin

    XMLWordPrintable

Details

    Description

      Steps to reproduce

      1. Use Firefox
      2. Add a link to the Webapps on a webpage located at a cross-origin (e. g. by using the developer console to manipulate the DOM of this webpage)
      3. Click the link to the Webapps
      4. Login to the Webapps
      5. Perform an action that results in a POST request (e. g. by clicking on the running instances count on the dashboard)

      Observed behavior

      • The session is invalidated since the CSRF token request header is absent
      • It is not possible to perform modifying requests until Firefox is restarted

      Expected behavior
      The session is not invalidated and the CSRF token request header is present.

      Solution
      Set the default value for the SameSite property from strict to lax

      Hints

      • In case of the lax option the cookie is sent on GET from the cross-origin
      • The problem reoccurs if a modifying request is sent from a cross-origin
      • Only a restart of the browser makes the Webapps usable again

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Issue Links

            Activity

              People

                akif.hazarvi Akif Hazarvi
                tassilo.weidner Tassilo Weidner
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:

                  Salesforce