[MAGNOLIA-6211] Popup requires another login in IE 11 Created: 18/May/15  Updated: 03/Dec/20  Resolved: 15/Jun/15

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 4.5.22
Fix Version/s: 4.5.25

Type: Bug Priority: Neutral
Reporter: Jörg Wirsig Assignee: Christoph Meier
Resolution: Won't Fix Votes: 0
Labels: support
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

When trying to edit an item in data repository, the opening popup requires an additional login with the following message provided.

Magnolia requires that requests include the http 'request' header. Please ensure that your browser or your company internet proxy do not modify the http 'request' header when accessing Magnolia.
Attention: the browser URL is not the standard login address, logging in with this URL may change data. Go to standard address (Change no data)

When switching back to version 4.5.17 same action does not lead to that behavior.

System is in both cases a dev system with no proxy or anything else in between



 Comments   
Comment by Christoph Meier [ 12/Jun/15 ]

Seems to be a problem with every popup. Same problem on when editing content on a page.

Comment by Christoph Meier [ 12/Jun/15 ]

First findings:
When opening a pop-up with IE11, CsrfSecurityFilter#isAllowed() returns false, indicating a possible CSRF attack.
The underlying reason: refererURL is not set on the HTTP header requesting the pop-up (when using IE11).
This said, it looks lie the "issue" was "introduced" with MAGNOLIA-5807 (on our site).

Comment by Christoph Meier [ 15/Jun/15 ]

Since this is actually an issue of Internet Explorer, and since there is no appropriate workaround to force IE to add the referrer to the HTTP request header (e.g. when opening a pop up), this issue will be closed with a "won't fix".
However - you can configure the CsrfSecurityFilter in a way that it is bypassed depending on the userAgent using info.magnolia.voting.voters.UserAgentVoter - this means: The CsrfSecurityFilter can be disabled for Internet Explorer.
See https://documentation.magnolia-cms.com/display/DOCS/Filters#Filters-CSRFandInternetExplorer

Generated at Mon Feb 12 04:12:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.