[FIX] skip CSRF checks for Tiki server-side initiated remote calls to Tiki ajax services (!962) · Merge requests · Tiki Wiki CMS Groupware / Tiki

Victor Emanouilov requested to merge kroky/tiki:bugfix/remote-sync into master Oct 21, 2021

Remote tracker synchronization fails creating new items as CSRF checks fail - origins are different and no CSRF ticket is submitted. We don't really need a CSRF check for a server-to-server call. This fix adds a "X-Requested-With: Tiki" header to all Tiki server-to-server initiated calls and skips CSRF checks if such a header exist. This header cannot be spoofed on the client side or in a CSRF scheme through a browser form.

[FIX] skip CSRF checks for Tiki server-side initiated remote calls to Tiki ajax services

Merge request reports