Implementing CSRF validation for Custom Controls
By default, Smartforms implements Anti-Cross Site Request Forgery (Anti-CSRF) security measures. While in most cases this should not pose any problems, there may be a few cases where custom controls implementing custom handlers may need to be updated to pass through an Anti-CSRF token. In some cases, you may even need to disable the Anti-CSRF security measures for certain custom handler request file paths, or disable them entirely (not recommended).
Disable CSRF validation for specific file paths
You can disable the checking of Anti-Cross Site Request Forgery tokens for specific file path server requests, by adding a semi-colon separated list of partial file paths in the AntiXSRF.IgnoreFilePathList config key in the appSettings section.
If you have custom controls in your environment and then upgrade the server, you may notice failing requests from SmartForms containing your custom controls. You must implement fixes for your controls to pass the Anti-CSRF token by using this guidance below, but until you can fix your code, temporarily disable the CSRF validation for a list of items based on their file paths. No CSRF validation happens when Smartforms makes requests to the custom control handlers specified in the semicolon-separated list that you add to the appSettings node of the SmartForms Runtime and/or Designer web.config file (typically located at "%PROGRAMFILES%\K2\"):
<add key="AntiXSRF.IgnoreFilePathList" value="exampleControl1.handler;/myPath/exampleControl2.handler" />
Disable CSRF validation entirely
Although not recommended due to the added security risk, you can temporarily disable the Anti-CXSRF mechanism. Disable the Anti-XSRF mechanism by adding the following configuration in the appSettings node of the SmartForms Runtime and/or Designer web.config file:
<add key="AntiXSRF.Enabled" value="false" />
Possible performance testing issues
Due to the way some tools handle cookies and JavaScript in web tests, this change may affect performance testing. If you get one of the following errors during performance testing, you can temporarily disable the Anti-CSRF module to avoid the errors while testing.
- No Anti-Cross Site Request Forgery cookie found in request
- No Anti-Cross Site Request Forgery token found in request
Controls CSRF validation samples
All controls and custom controls implement anti-cross site request forgery measures, unless you disable it manually in the Designer or Runtime web.config file.
Most custom controls should work without any changes. The following list shows exceptions and their resolutions.
- Exception: Custom controls making requests to custom handlers that override the default ajax beforeSend function may not pass through the anti-cross site request forgery token.
Resolution: add a call to SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(..) in the beforeSend function. The following JavaScript example implements the beforeSend function:CopyResolution to exception 1
beforeSend: function(xhr) {
...
...
SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(xhr);
}, - Exception: if the custom control implements its own XMLHttpRequest to perform server calls to a custom handler, the request may not pass through the anti-cross site request forgery token.
Resolution: add the anti-cross site request forgery token to the XMLHttpRequest object before the request is sent, by adding a call to SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(...). Here is a JavaScript example:CopyResolution to exception 2
var myReq = new XMLHttpRequest();
...
...
SourceCode.Forms.XSRFHelper.setAntiXSRFHeader(myReq);
myReq.send();
You can completely disable checking for anti-cross site request forgery tokens for a custom control handler by adding the [IgnoreAntiXSRFTokenValidation] attribute to the handler class. Note that this is a security risk.
Disable checking for anti-cross site request forgery tokens
using SourceCode.Forms.Controls.Web.SDK.Attributes;
namespace Examples
{
[ClientAjaxHandler("ExampleAjaxControl.handler")]
[IgnoreAntiXSRFTokenValidation]
public class ExampleAjaxHandler : IHttpHandler
{
...
}
}