Showing posts with label Browser. Show all posts
Showing posts with label Browser. Show all posts

Tuesday, July 23, 2013

CSRF Policy in Alfresco Share

Since Enterprise 4.1.4, a new CSRF (Cross Site Request Forgery) Policy has been introduced in Alfresco Share.
Should you want to learn more about this, this should be useful https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Mostly, it does not affect you, but in some cases it does. Here are some of the scenarios.
  • You are making an XMLHttpRequest with method POST, PUT or DELETE without using the Alfresco.util.Ajax or alfresco/core/CoreXhr classes 
  • You are making a form upload with enctype multipart/form-data without using Alfresco.forms.Form 
  • You are using a flash movie inside Share to send http requests with method POST 
  • You are writing a non-browser client, i.e. a mobile app 
  • Another system is sending POST requests to your Alfresco Share server 
  • You are running Alfresco Share behind one or more proxy server(s) and I get errors… 
Of course, there are individual methods to handle these situations using CSRFPolicy configurations, however, sometimes you would want to disable this filter altogether.

For that, simply add the following code snippet in your share-config-custom.xml file.

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
   <filter>
      <rule>
         <request>
            <method>POST|PUT|DELETE</method>
            <session>
               <attribute name="_alf_USER_ID">.*</attribute>
            </session>
         </request>
         <action name="assertReferer">
            <param name="always">false</param>
         </action>
         <action name="assertOrigin">
            <param name="always">false</param>
         </action>
      </rule>
   </filter>
</config>

Thanks to Erik Winlof for the detailed information.

Posted by at No comments:
Labels: , ,

Sunday, September 30, 2012

Alfresco Share in IE Compatibility Mode

Alfresco Share is not supported in Internet Explorer Compatibility Views - for both IE8 Compat View and IE9 Compat View.

There are number of UI bugs crops up in these mode of the browser, where as these works even in IE6 (and of course these works in IE7, IE8 onwards).

For example, one of the functionalities that does not work in Compat View is inserting image in a Wiki page.

Posted by at 1 comment:
Labels: ,

Tuesday, May 15, 2012

Setting up your Browser to use Alfresco Search

In Alfresco 4, OpenSearch is by default enabled.
You, however, need to configure this in your browser.

  • Open URL [http://localhost:8080/alfresco/service/api/search/engines] (replace localhost and 8080 with your alfresco server url). If OpenSearch is enabled, the following screen should come up.

  • While this page is open, click on the browser search engine drop down on the right hand side of the address bar.

  • Click on "Add Alfresco Keyword Search" - Alfresco OpenSearch search engine has now configured in your browser. 
  • Choose this search engine, type something in the search box, press enter. 
  • Alfresco would ask you for user credentials (if not logged in in Alfresco Explorer in this browser session). And as per your user credentials, the content search output will be displayed.
     

    Note:

  • Alfresco takes care of the user permission and scope automatically. There is no need to do any enhancements for this. 
  • The search executes onto across repository (as per the permission), this is not limited to only ''Sites''. 
  • The output is paginated. Also, the name of the document enables you to download this.
Posted by at 1 comment:
Labels: , , , ,
Subscribe to: Posts (Atom)