Should you want to learn more about this, this should be useful https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Mostly, it does not affect you, but in some cases it does. Here are some of the scenarios.
- You are making an XMLHttpRequest with method POST, PUT or DELETE without using the Alfresco.util.Ajax or alfresco/core/CoreXhr classes
- You are making a form upload with enctype multipart/form-data without using Alfresco.forms.Form
- You are using a flash movie inside Share to send http requests with method POST
- You are writing a non-browser client, i.e. a mobile app
- Another system is sending POST requests to your Alfresco Share server
- You are running Alfresco Share behind one or more proxy server(s) and I get errors…
For that, simply add the following code snippet in your share-config-custom.xml file.
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter>
<rule>
<request>
<method>POST|PUT|DELETE</method>
<session>
<attribute name="_alf_USER_ID">.*</attribute>
</session>
</request>
<action name="assertReferer">
<param name="always">false</param>
</action>
<action name="assertOrigin">
<param name="always">false</param>
</action>
</rule>
</filter>
</config>
Thanks to Erik Winlof for the detailed information.
