Request changed from HTTP GET to POST

[swapnilmak]

I have upgraded the Atmosphere version from 2.5.12 to 2.7.6 and the atmosphere javascript version from 2.3.9 to 3.1.3 in my application.
I noticed the below change in the latest atmosphere javascript version in the _pushOnClose method.

if (_request.unloadBackwardCompat) {
_executeRequest(rq);
} else {
navigator.sendBeacon(rq.url, rq.data);
}

In the previous version, there was no such if condition. So, it was always executing the _executeRequest method(HTTP GET method) whenever we close the socket connection. 
In the new version, as we are using unloadBackwardCompat as false, it is always executing else block and sending HTTP POST request. For this POST request, I am getting a 403 forbidden error. 

Can you please confirm whether it is a bug? And let me know the purpose of this unloadBackwardCompat.

Also, I wanted to confirm whether this "rq" object is configurable externally? Can we set rq.unloadBackwardCompat to true?

Atmosphere Info

• version 2.6.1
• atmosphere.js 2.3.9

Systems:

• OS: Windows 10
• Java: version 8
• payara: 5.2022.2
• Spring-version: 5.3.19

[swapnilmak]

@jfarcand Can you please verify the above issue?

[jfarcand]

@swapnilmak Use the unloadBackwardCompat if you and and if you are using an old browser. This feature (sending GET request) when a page unload is no longer supported by browsers

[swapnilmak]

@jfarcand Thank you for confirming. As I mentioned before, with new behaviour we are sending POST request and I am facing 403 forbidden error. Looks like we are not considering CSRF token while sending this request. And because of that the backend is complaining.
Can you please let me know why atmosphere does not care about CSRF token? Is there a way to pass CSRF token in this POST request?

[jfarcand]

@swapnilmak Are you saying the POST is missing some query params, missing your CSRF token? Just give me an example of what is sent back to the server.

[swapnilmak]

For all GET methods, there is no problem. Just for this navigator.sendBeacon(POST method), I am getting this 403 error. Please find below the information:

General:

• Request URL: http://localhost:8080/****/***/***/231?X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=7936ccd2-f046-43c3-a6f0-e4de52b47ec5&negotiating=true
• Request Method: POST
• Status Code: 403 Forbidden
• Remote Address: ...**:8080
• Referrer Policy: strict-origin-when-cross-origin

Response Headers:

• Access-Control-Allow-Credentials: true
• Access-Control-Allow-Origin: http://localhost:8080
• Access-Control-Expose-Headers: X-Atmosphere-tracking-id, X-Heartbeat-Server
• Cache-Control: no-store, no-cache, must-revalidate
• Expires: -1
• Pragma: no-cache
• Server: ""
• Transfer-Encoding: chunked
• X-Atmosphere-tracking-id: 7936ccd2-f046-43c3-a6f0-e4de52b47ec5
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 1; mode=block

Request Headers:

• Accept: /
• Accept-Encoding: gzip, deflate
• Accept-Language: en-US,en;q=0.9
• Connection: keep-alive
• Content-Length: 0
• Content-Type: text/plain;charset=UTF-8
• Cookie: JSESSIONID=e995f161238d64e628f2622ad8a6
• Host: localhost:8080
• Origin: http://localhost:8080
• Referer: http://localhost:8080/****/***/***
• User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

[swapnilmak]

I closed it by mistake.

[jfarcand]

OK I suspect the problem is from the way your server is configured. Can you share what the GET request looks like?

[swapnilmak]

GET request is as below:

General:

• Request URL: http://localhost:8080/***/***/***/***/MULTIPAGE_101001?_=1659504340019
• Request Method: GET
• Status Code: 200 OK
• Remote Address: ...*:8080
• Referrer Policy: strict-origin-when-cross-origin

Response Headers:

• Cache-Control: no-store, no-cache, must-revalidate
• Content-Type: application/json
• Expires: -1
• Pragma: no-cache
• Server: ""
• Transfer-Encoding: chunked
• X-Atmosphere-first-request: true
• X-Atmosphere-tracking-id: 23816c37-0018-4c2e-9f29-b18a12b27f8d
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 1; mode=block

Request Headers:
Accept: text/plain, /; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: JSESSIONID=22a80c5b0a1928e471e02225b632
Host: localhost:8080
Referer: http://localhost:8080/***/***/***
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
X-CSRF-TOKEN: 0cd7b932-43c8-414b-88f6-ca88365b6e5b
X-Requested-With: XMLHttpRequest

[swapnilmak]

@jfarcand Did you get a chance to look at the GET request?

[swapnilmak]

Hi @jfarcand, I appreciate your time, and I hope that you have had an opportunity to review my previous comment. As you can see in the GET request, in the old version of Atmosphere 2.5.12(AtmosphereJS 2.3.9), the atmosphere it's adding the CRSF Token value in the http header, but in the new version of Atmosphere 2.7.6(AtmosphereJS 3.1.3), the atmophere does not add the CRSF Token value in the http header this time for the POST Request. Is there a way to pass CSRF token in this POST request too? I would appreciate you if you could introduce this change in the next version of Atmosphere.