<div dir="ltr"><div dir="ltr">Dear Alessio,<div><br></div><div>I have done the changes in my local environment of GeoNode. Please find the details below.</div><div><br></div><div><b> ISSUE :</b> <b>Use of HttpOnly flag for CSRF cookie</b><br></div><div><b><br></b></div><div><b> (i). </b>Set the flag in<b> </b>Settings.py <b> CSRF_COOKIE_HTTPONLY=True</b></div><div><b><br></b></div><div><b> (ii) </b>In the following all files CSRF token value read from <b>Cookie code is commented</b> and <b>added the new code</b> which reads CSRF token value with i<b>nput hidden field </b> name with <b>csrfmiddlewaretoken</b></div><div><b> a.</b>/usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-</div> b.. /home/geonode/geonode/static_root/pinax/js/theme.js<br> c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js<br> d../home/geonode/geonode/static_root/pinax/js/theme.js<br> e. /home/geonode/geonode/static_root/geonode/js/utils/util.js<br> f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js<div> </div><div><b>The following functions code from above files is modified to var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val(); return csrftoken;</b></div> <div><b>getCRSFToken</b>: function() {</div> var csrfToken, csrfMatch = document.cookie.match(/csrftoken=(\w+)/);<br> if (csrfMatch && csrfMatch.length > 0) {<br> csrfToken = csrfMatch[1];<br> }<br> return csrfToken;<br> },<div><br></div><div>f<b>unction getCookie(name)</b> {<br> var cookieValue = null;<br> if (document.cookie && document.cookie !== '') {<br> var cookies = document.cookie.split(';');<br> for (var i = 0; i < cookies.length; i++) {<br> var cookie = $.trim(cookies[i]);<br> // Does this cookie string begin with the name we want?<br> if (cookie.substring(0, name.length + 1) == (name + '=')) {<br> cookieValue = decodeURIComponent(cookie.substring(name.length + 1));<br> break;<br> }<br> }<br> }<br>return cookievalue;<br> }<br></div><div><br></div><div><br></div><div>Thanks&Regards,</div><div>Naresh.n</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 20, 2019 at 5:34 PM Alessio Fabiani <<a href="mailto:alessio.fabiani@geo-solutions.it">alessio.fabiani@geo-solutions.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Any chance to send a Pull Request to GeoNode along with the issue description?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno mar 20 ago 2019 alle ore 13:05 Naresh N <<a href="mailto:naresh919@gmail.com" target="_blank">naresh919@gmail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Dear All,</div><div><br></div><div>I could able to resolve the issue. The following changes are done. <br></div><div><br></div><div>1. Settings.py
<b> CSRF_COOKIE_HTTPONLY=True</b></div><div><b>2.</b> In following files
<b>X-CSRFToken</b> value is assigned using the
var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();</div><div> a./usr/lib/python2.7/site-packages/autocomplete_light/templates/autocomplete_light/_ajax_csrf.html-<br> b.. /home/geonode/geonode/static_root/pinax/js/theme.js<br> c. ./home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js<br> d../home/geonode/geonode/static_root/pinax/js/theme.js<br> e. /home/geonode/geonode/static_root/geonode/js/utils/util.js<br> f. /home/geonode/geonode/static_root/geonode/js/extjs/GeoNode-mixin.js</div><div><br></div><div>Thanks&Regards,</div><div>Naresh.N<br></div><div><b>
</b>
</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 19, 2019 at 3:05 PM Naresh N <<a href="mailto:naresh919@gmail.com" target="_blank">naresh919@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Dear all,</div><div><br></div><div>The following changes are made to enable HTTPOnly flag for cookies</div><div><br></div><div>1. In settings.py <b> CSRF_COOKIE_HTTPONLY=True</b></div><div>2.<b> X-CSRFToken</b> value is set using the jquery -- <b>var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();</b></div><div><br></div><div>After doing the above changes layers are not getting upload and showing CSRF validation failed. Please find the attached screenshot with this mail.</div><div><br></div><div>Kindly help me to fix the issue. Apart from above mentioned places is any other places need changes?</div><div><br></div><div>Thanks&Regards,</div><div>Naresh.N</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 16, 2019 at 1:46 PM Naresh N <<a href="mailto:naresh919@gmail.com" target="_blank">naresh919@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Dear All,<div><br></div><div>Kindly help on regarding httponly flag for cookie use in GeoNode.</div><div><br></div><div>Thanks&Regards,</div><div>Naresh.N</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 14, 2019 at 3:03 PM Naresh N <<a href="mailto:naresh919@gmail.com" target="_blank">naresh919@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Dear All,<div><br></div><div>We have used GeoNode for development of our portal.</div><div>As a part of security measures,we have to use cookie set with httponly flag. I have enabled the flag CSRF_COOKIE_HTTPONLY as true in settings.py, then<b> upload layers</b> and other <b>ajax_requsts functions are not working.</b></div><div><br></div><div>Please suggest how to over come this. Which are all the places need to modify the code.</div><div><br></div><div>Thanks&Regards,</div><div>Naresh.N</div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_6247961556041795882gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8px"><span><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;font-size:11pt;white-space:pre-wrap">==</span><br></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">GeoServer Professional Services from the experts! Visit <a href="http://goo.gl/it488V" target="_blank">http://goo.gl/it488V</a> for more information.</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">==</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Ing. Alessio Fabiani</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">@alfa7691</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Founder/Technical Lead</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">GeoSolutions S.A.S.</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Via di Montramito 3/A - </span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">55054 Massarosa (LU) - </span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Italy</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">phone: +39 0584 962313</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">fax: +39 0584 1660272</span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">mob: +39 331 6233686</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><a href="http://www.geo-solutions.it" target="_blank">http://www.geo-solutions.it</a></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><a href="http://twitter.com/geosolutions_it" target="_blank">http://twitter.com/geosolutions_it</a></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">-------------------------------------------------------</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></p></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div></div>