Contrib.social

Firewalls may remove the Ajax verification token header

Open on Drupal.org β†’
Created on 5 October 2015, over 9 years ago
Updated 7 November 2023, about 1 year ago

Problem/Motivation

(Some) firewalls strip the X-Drupal-Ajax-Token header. Since Views UI depends on Ajax responses it becomes unusable behind (some) corporate firewalls.

The X-Drupal-Ajax-Token was introduced with this patch #2554219: Port Cross-site Scripting - Ajax system fixes from SA-CORE-2015-003 to Drupal 8 β†’

/core/misc/ajax.js

// Prior to invoking the response's commands, verify that they can be
// trusted by checking for a response header. See
// \Drupal\Core\EventSubscriber\AjaxResponseSubscriber for details.
// - Empty responses are harmless so can bypass verification. This
//   avoids an alert message for server-generated no-op responses that
//   skip Ajax rendering.
// - Ajax objects with trusted URLs (e.g., ones defined server-side via
//   #ajax) can bypass header verification. This is especially useful
//   for Ajax with multipart forms. Because IFRAME transport is used,
//   the response headers cannot be accessed for verification.
if (response !== null && !drupalSettings.ajaxTrustedUrl[ajax.url]) {
  if (xmlhttprequest.getResponseHeader('X-Drupal-Ajax-Token') !== '1') {
    var customMessage = Drupal.t("The response failed verification so will not be processed.");
    return ajax.error(xmlhttprequest, ajax.url, customMessage);
  }
}

Result

A click on any configuration item in Views UI fails with an Uncaught AjaxError.

Uncaught AjaxError: An AJAX HTTP error occurred.
HTTP Result Code: 200
Debugging information follows.
Path: /d8/admin/structure/views/ajax/display/viewstest/page_1/row
StatusText: OK
CustomMessage: The response failed verification so will not be processed.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Closed: outdated

Version

11.0 πŸ”₯

Component
AjaxΒ  β†’

Last updated 1 day ago

Created by

πŸ‡©πŸ‡ͺGermany derjochenmeyer

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • Status changed to Postponed: needs info almost 2 years ago
  • Comment almost 2 years ago β†’
    πŸ‡¦πŸ‡ΊAustralia acbramley

    3 years without much activity tells me this isn't a major. There's also quite a few headers in play now that will break things if stripped (e.g embedded content via media library)

    I'm inclined to mark this as won't fix but would like to see what others think.

  • Comment almost 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom longwave UK

    I am inclined to agree, given that most reports of this were back in 2016, and it seems to affect HTTP only. This only affects authenticated users and most sites should be on HTTPS especially where authenticated users are involved, so this is perhaps still technically an issue, but only in a configuration that is not really recommended. Let's leave this open for a few more months and then close if there are no further reports.

  • Status changed to Closed: outdated about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    Based on the comments in #50 and #51 I am closing this issue as outdated. If this is incorrect reopen the issue, by setting the status to 'Active', and add a comment explaining what still needs to be done.

    Thanks!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024