Magento 2.3 upgrade breaks HTTP POST requests to custom module endpoint The Next CEO of Stack OverflowExternal Request - Invalid Form Key Magento 2.3How to bypass CSRF validation for certain requests like payment gateway webhook?magento2.3 controller won't handle post methodMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlHow to introduce a new type for widget parameter in Magento2?main.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How to create AJAX action for POST requests in Magento 2.3?How to bypass CSRF validation for certain requests like payment gateway webhook?
Increase performance creating Mandelbrot set in python
How to use tikz in fbox?
Only print output after finding pattern
Unreliable Magic - Is it worth it?
Inappropriate reference requests from Journal reviewers
How to make a variable always equal to the result of some calculations?
How do I get the green key off the shelf in the Dobby level of Lego Harry Potter 2?
How to write papers efficiently when English isn't my first language?
Why do professional authors make "consistency" mistakes? And how to avoid them?
Anatomically Correct Strange Women In Ponds Distributing Swords
Does it take more energy to get to Venus or to Mars?
How do we know the LHC results are robust?
How to Reset Passwords on Multiple Websites Easily?
Why here is plural "We went to the movies last night."
Is the concept of a "numerable" fiber bundle really useful or an empty generalization?
Natural language into sentence logic
What is the purpose of the Evocation wizard's Potent Cantrip feature?
Describing a person. What needs to be mentioned?
Why didn't Khan get resurrected in the Genesis Explosion?
What is the difference between "behavior" and "behaviour"?
Return the Closest Prime Number
Is HostGator storing my password in plaintext?
Visit to the USA with ESTA approved before trip to Iran
Robert Sheckley short story about vacation spots being overwhelmed
Magento 2.3 upgrade breaks HTTP POST requests to custom module endpoint
The Next CEO of Stack OverflowExternal Request - Invalid Form Key Magento 2.3How to bypass CSRF validation for certain requests like payment gateway webhook?magento2.3 controller won't handle post methodMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlHow to introduce a new type for widget parameter in Magento2?main.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How to create AJAX action for POST requests in Magento 2.3?How to bypass CSRF validation for certain requests like payment gateway webhook?
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
asked Dec 12 '18 at 17:54
snezsnez
2401211
add a comment |
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
asked Dec 12 '18 at 17:54
snezsnez
2401211
add a comment |
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
asked Dec 12 '18 at 17:54
snezsnez
2401211
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
asked Dec 12 '18 at 17:54
snezsnez
2401211
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
asked Dec 12 '18 at 17:54
snezsnez
2401211
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
edited Dec 13 '18 at 4:39
Keyur Shah
13.2k24165
13.2k24165
asked Dec 12 '18 at 17:54
snezsnez
2401211
asked Dec 12 '18 at 17:54
snezsnez
2401211
asked Dec 12 '18 at 17:54
snezsnez
2401211
2401211
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.
answered Dec 18 '18 at 15:15
snezsnez
2401211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered yesterday
AnanthMage2AnanthMage2
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "479"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f253414%2fmagento-2-3-upgrade-breaks-http-post-requests-to-custom-module-endpoint%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.
answered Dec 18 '18 at 15:15
snezsnez
2401211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.
answered Dec 18 '18 at 15:15
snezsnez
2401211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.
answered Dec 18 '18 at 15:15
snezsnez
2401211
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier.
answered Dec 18 '18 at 15:15
snezsnez
2401211
answered Dec 18 '18 at 15:15
snezsnez
2401211
answered Dec 18 '18 at 15:15
snezsnez
2401211
answered Dec 18 '18 at 15:15
snezsnez
2401211
2401211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
1914
add a comment |
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
answered Feb 12 at 16:49
smartinsmartin
1267
answered Feb 12 at 16:49
smartinsmartin
1267
answered Feb 12 at 16:49
smartinsmartin
1267
1267
add a comment |
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered yesterday
AnanthMage2AnanthMage2
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered yesterday
AnanthMage2AnanthMage2
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered yesterday
AnanthMage2AnanthMage2
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered yesterday
AnanthMage2AnanthMage2
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
AnanthMage2AnanthMage2
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
AnanthMage2AnanthMage2
11
answered yesterday
AnanthMage2AnanthMage2
11
11
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
AnanthMage2 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f253414%2fmagento-2-3-upgrade-breaks-http-post-requests-to-custom-module-endpoint%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
