Post requests to applinks/proxy fail

We are using the applinks/proxy of confluence to interact with the servicedesk from a confluence page.

This functionality is currently unusable since the applinks/proxy URL suddenly (it was working fine with 6.15.6) returns a 403 XSRF Token missing error message.

I have it tracked down to the following commits:

https://bitbucket.org/atlassian/confluence-jira-plugin/commits/83421beb7cf4d53939ed041e62776e4d3836c9ec
https://bitbucket.org/atlassian/confluence-jira-plugin/commits/63f1397b6d0d4a611d5eb53bfc787f510cfd2b30

(and confirmed that editing the atlassian-plugin.xml and removing the check again fixes it)

I also tracked down the xwork version:

https://docs.atlassian.com/atlassian-xwork-core/1.20/atlassian-xwork-core/xref/com/atlassian/xwork/interceptors/XsrfTokenInterceptor.html

But it seems that it doesn’t accept my override token for some reason.

–

So steps to reproduce:

call the applinks/proxy endpoint to interact with a post request with servicedesk from a confluence page.

Expected Result

The post request should succeed, since none of the XSRF markers (documentation) are hit

Actual Result

The post request is blocked.

If anyone has a pointer to fix this, I would appreciate it.

Also I would like Atlassian to actually fix the plugin so that it works as expected, and not change something like that in a MINOR VERSION upgrade!

Hi @thomasrosenstein - it appears that CSRF on POST calls has been implemented on 6.15.7 and later. I’m waiting to hear back from the team about guidance/docs on how you can implement CSRF tokens. Meanwhile, I’m going to ping you via DEVHELP ticket to ask for more details.

The no-check header is not being handled properly. The team has created a ticket:

https://jira.atlassian.com/browse/CONFSERVER-59015

Thanks, is there any ETA when it will be added to an update?

I recommend you ask on that ticket.