We're updating some of our product names. K2 Five is now Nintex Automation. You may see both product names in our help pages while we make this change.

Implementing CSRF validation for Custom Controls

By default, Smartforms implements Anti-Cross Site Request Forgery (Anti-CSRF) security measures. While in most cases this should not pose any problems, there may be a few cases where custom controls implementing custom handlers may need to be updated to pass through an Anti-CSRF token. In some cases, you may even need to disable the Anti-CSRF security measures for certain custom handler request file paths, or disable them entirely (not recommended).

Disable CSRF validation for specific file paths

You can disable the checking of Anti-Cross Site Request Forgery tokens for specific file path server requests, by adding a semi-colon separated list of partial file paths in the AntiXSRF.IgnoreFilePathList config key in the appSettings section.

If you have custom controls in your environment and then upgrade the server, you may notice failing requests from SmartForms containing your custom controls. You must implement fixes for your controls to pass the Anti-CSRF token by using this guidance below, but until you can fix your code, temporarily disable the CSRF validation for a list of items based on their file paths. No CSRF validation happens when Smartforms makes requests to the custom control handlers specified in the semicolon-separated list that you add to the appSettings node of the SmartForms Runtime and/or Designer web.config file (typically located at "%PROGRAMFILES%\K2\"):

Disable CSRF validation entirely

Although not recommended due to the added security risk, you can temporarily disable the Anti-CXSRF mechanism. Disable the Anti-XSRF mechanism by adding the following configuration in the appSettings node of the SmartForms Runtime and/or Designer web.config file:

Possible performance testing issues

Due to the way some tools handle cookies and JavaScript in web tests, this change may affect performance testing. If you get one of the following errors during performance testing, you can temporarily disable the Anti-CSRF module to avoid the errors while testing.

No Anti-Cross Site Request Forgery cookie found in request
No Anti-Cross Site Request Forgery token found in request

Controls CSRF validation samples

All controls and custom controls implement anti-cross site request forgery measures, unless you disable it manually in the Designer or Runtime web.config file.

Most custom controls should work without any changes. The following list shows exceptions and their resolutions.

Exception: Custom controls making requests to custom handlers that override the default ajax beforeSend function may not pass through the anti-cross site request forgery token.
Resolution: add a call to SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(..) in the beforeSend function. The following JavaScript example implements the beforeSend function:
Copy
Resolution to exception 1
```
1
2
3
4
5
6
beforeSend: function(xhr) {
 ...
 ...
    SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(xhr);
},
```
Exception: if the custom control implements its own XMLHttpRequest to perform server calls to a custom handler, the request may not pass through the anti-cross site request forgery token.
Resolution: add the anti-cross site request forgery token to the XMLHttpRequest object before the request is sent, by adding a call to SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(...). Here is a JavaScript example:
Copy
Resolution to exception 2
```
1
2
3
4
5
6
var myReq = new XMLHttpRequest();
...
...
SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(myReq);
myReq.send();
```

You can completely disable checking for anti-cross site request forgery tokens for a custom control handler by adding the [IgnoreAntiXSRFTokenValidation] attribute to the handler class. Note that this is a security risk.

Copy

Disable checking for anti-cross site request forgery tokens

1
2
3
4
5
6
7
8
9
10
11
12
using SourceCode.Forms.Controls.Web.SDK.Attributes;

namespace Examples
{
    [ClientAjaxHandler("ExampleAjaxControl.handler")]
    [IgnoreAntiXSRFTokenValidation]
    public class ExampleAjaxHandler : IHttpHandler
    {
  ...
    }
}