[
https://issues.apache.org/jira/browse/OFBIZ-11329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17027411#comment-17027411 ]
Jacques Le Roux commented on OFBIZ-11329:
-----------------------------------------
Hi James,
OK I have found a simple solution: just check if there is an error in setUserTimeZone.js before setting SetTimeZoneFromBrowser to done in [sessionStorage|
https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage].
I had also to make a simple change to CsrfUtil::checkToken in case of XMLHttpRequest. The RequestHandlerException is only thrown if the request is not SetTimeZoneFromBrowser. Also in last resort you throw RequestHandlerExceptionAllowExternalRequests. I have added the condition related to throwRequestHandlerExceptionOnMissingLocalRequest property. It's not activated by default.
I have also defined a csrf.cache.size for removeEldestEntry in getTokenMap.
I attach [^OFBIZ-11329.patch] for you to check before we continue on the rest, TIA.
> setUserTimeZone should use Get rather than POST
> -----------------------------------------------
>
> Key: OFBIZ-11329
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11329> Project: OFBiz
> Issue Type: Sub-task
> Components: framework, webpos
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Attachments: OFBIZ-11329.patch
>
>
> This will be useful when committing CSRF solution as explained in OFBIZ-11306
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
