1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed Security Error when Accessing .jsp File

Discussion in 'Resolved Bug Reports' started by Liam W, Apr 28, 2014.

  1. Liam W

    Liam W Well-Known Member

  2. Liam W

    Liam W Well-Known Member

    Adding to this, if the first two characters of the extension are js, the security error is given...
  3. Mike

    Mike XenForo Developer Staff Member

    This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.
    Adam Howard likes this.
  4. Liam W

    Liam W Well-Known Member

    I just thought that when I discovered it happened on js* files... In my opinion, it should be changed. But I guess it's arguable.
  5. tyteen4a03

    tyteen4a03 Well-Known Member

    I'm not actually sure how many setups out there that supports both php and jsp, but this should be changed in case there really is.
  6. Adam Howard

    Adam Howard Well-Known Member

    Please keep this 'as is' :)
  7. Mike

    Mike XenForo Developer Staff Member

    Going to leave this as is, just in case really. This error only comes up if the request hits XenForo; if the server has a .jsp file and it gets executed, XenForo isn't being executed so the error won't come up. Changing this globally could expose a mistake more easily for really no benefit. If you have need for a URL with various extensions, you can always explicitly disable the CSRF check in your controller in the needed cases.

Share This Page