Bootstrap Modal is falsely blocked due to possible csrf attack

[pa7r1ck]

Hey Marc,
i checked out your project yesterday an it works great so far.
I encountered a problem recently with the 'Wicket Bootstrap'-Api (https://github.com/l0rdn1kk0n/wicket-bootstrap).

As soon as i open a modal window the application recognizes a possible csrf attack because the origin of the request is empty.

Log says: INFO 869808 --- [nio-8080-exec-7] w.p.h.CsrfPreventionRequestCycleListener : Possible CSRF attack, request URL: http://localhost:8080/, Origin: null, action: allowed

Regards, pa7r1ck

[martin-g]

I am not sure this issue belongs here.
It looks to me like an issue with CsrfPreventionRequestCycleListener, i.e. it should be in Wicket's JIRA.

[MarcGiffing]

https://issues.apache.org/jira/browse/WICKET-6101

[MarcGiffing]

https://issues.apache.org/jira/browse/WICKET-6101

Martijn Dashorst : As you can see in the log, the request is not blocked. The origin header was not set, and the action is allowed. It is logged to ensure that the developer knows which Origin headers are being sent if at all, to be able to finetune the whitelist. See the documentation of the CsrfPreventionRequestCycleListener for more information on the configuration options.

On every request you get the log information which is a little bit annoying. When does the origin header is set? Only if the origin is different? The whitelist check is not executed cause the origin header is null. One must verify that this behavior is right.

[MarcGiffing]

https://issues.apache.org/jira/browse/WICKET-6389