问题
I've set up my web application to protect against CSRF by listing individual pages in faces-config, protected-views.
This works well when running locally, but after deploying to the server I eventually get these errors when opening a page link:
javax.faces.application.ProtectedViewException: JSF1099: Referer [sic] header value http://[redacted]/finance/commitmentregister/search.xhtml?javax.faces.Token=1534344211116 does not appear to be a protected view. Preventing display of viewId /finance/commitmentregister/view.xhtml
at com.sun.faces.lifecycle.RestoreViewPhase.maybeTakeProtectedViewAction(Unknown Source)
at com.sun.faces.lifecycle.RestoreViewPhase.execute(Unknown Source)
at com.sun.faces.lifecycle.Phase.doPhase(Unknown Source)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(Unknown Source)
at com.sun.faces.lifecycle.LifecycleImpl.execute(Unknown Source)
We are running Apache Tomcat 7 locally and on the test server.
Edit:
I've noticed that the url generated on the link looks like this:
http://.../page.xhtml?token=123&p=4
Where token is the CSRF javax.faces.Token and p is a url parameter sent.
The error message shows the url with the token but without p. Like it's expecting the url with the token to be the protected page url listed in the faces-config.
That is, faces-config has:
<protected-views>
<url-pattern>/page.xhtml</url-pattern>
</protected-views>
But it is expecting page.xhtml?token=123
Further Edit:
We just noticed that this error happens only when the page is opened in a new tab. With links generated with a target="_blank" attribute. Copying the url into the clipboard and pasting it in a new tab address bar loads the page correctly.
回答1:
Noticing that it only broke on new tabs gave me more info to research the problem.
Adding this to the links fixes it:
rel="noopener noreferrer"
来源:https://stackoverflow.com/questions/51861619/error-using-jsf-protected-views-when-opening-a-new-tab