• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

As designed Security Error when Accessing .jsp File

Mike

XenForo developer
Staff member
#3
This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.
 

Liam W

Well-known member
#4
This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.
I just thought that when I discovered it happened on js* files... In my opinion, it should be changed. But I guess it's arguable.
 

tyteen4a03

Well-known member
#5
I'm not actually sure how many setups out there that supports both php and jsp, but this should be changed in case there really is.
 

Adam Howard

Well-known member
#6
This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.
Please keep this 'as is' :)
 

Mike

XenForo developer
Staff member
#7
Going to leave this as is, just in case really. This error only comes up if the request hits XenForo; if the server has a .jsp file and it gets executed, XenForo isn't being executed so the error won't come up. Changing this globally could expose a mistake more easily for really no benefit. If you have need for a URL with various extensions, you can always explicitly disable the CSRF check in your controller in the needed cases.