Post requests to applinks/proxy fail

We are using the applinks/proxy of confluence to interact with the servicedesk from a confluence page.

This functionality is currently unusable since the applinks/proxy URL suddenly (it was working fine with 6.15.6) returns a 403 XSRF Token missing error message.

I have it tracked down to the following commits:

(and confirmed that editing the atlassian-plugin.xml and removing the check again fixes it)

I also tracked down the xwork version:

But it seems that it doesn’t accept my override token for some reason.

So steps to reproduce:

call the applinks/proxy endpoint to interact with a post request with servicedesk from a confluence page.

Expected Result

The post request should succeed, since none of the XSRF markers (documentation) are hit

Actual Result

The post request is blocked.

If anyone has a pointer to fix this, I would appreciate it.

Also I would like Atlassian to actually fix the plugin so that it works as expected, and not change something like that in a MINOR VERSION upgrade!

Hi @thomasrosenstein - it appears that CSRF on POST calls has been implemented on 6.15.7 and later. I’m waiting to hear back from the team about guidance/docs on how you can implement CSRF tokens. Meanwhile, I’m going to ping you via DEVHELP ticket to ask for more details.

The no-check header is not being handled properly. The team has created a ticket:

Thanks, is there any ETA when it will be added to an update?

I recommend you ask on that ticket.