James A Riel commented on Jun 25, 2012

Re: How to enable CSRF protection

Rob:

Quickr development says: "Under "restricted_service_protection" protection, any 3rd party program needs to update their program, need to add nonce in request url and request header for any POST request.

For details, please refer to:

http://www-10.lotus.com/ldd/lqwiki.nsf/dx/CSRF_protection_impact_on_your_customization"

Rob Novak commented on Jun 14, 2012

Re: How to enable CSRF protection

I have found that when using an external Java Quickr API program to create places, this setting makes it fail. Is there a way to exclude the API call in "restricted_service_protection" ?

James W. Stuart commented on May 30, 2012

Re: How to enable CSRF protection

Okay, so the comments text doesn't like certain symbols! Here is the QPCONFIG.XML text with square brackets instead:

[security]

      [xsrf_service_protection enabled="true"]

           [restricted_service_protection enabled="false"]Jakarta

Commons-HttpClient,IBM-Connectors,Thingio[/restricted_service_protection]

      [/xsrf_service_protection]

[/security]

James W. Stuart commented on May 30, 2012

CSRF protection Vs Java Drag & Drop upload applet

If you are using the Jave upload applet (http://www-10.lotus.com/ldd/lqwiki.nsf/dx/Adding_a_java_applet_for_uploading_files_to_a_place), enabling CSRF protection will cause uploads via the applet to fail with "Bad Request".

You can fix this by adding "Thingio" to the list of CSRF exceptions in QPCONFIG.XML:

     

           Jakarta

Commons-HttpClient,IBM-Connectors,Thingio

     

. . . thanks to Ferganl McKenna for this :-)