Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is a type of exploit that allows attackers to perform unauthorized actions on behalf of a user that the web application trusts. For example, if you are logged into Sisense, and open another web page or email provided by the attacker, this can allow the attacker to exploit your authenticated session in Sisense and perform unwanted actions.

Note :

If you enable CSRF Protection, you cannot use SisenseJS, Sisense Mobile, or Sisense embedded in iFrames.

If Cross-Site Request Forgery (CSRF) is turned on, a request from your add-on to the Sisense API could return a '403 Forbidden' error. To continue working with the Sisense API with the new restrictions, Sisense implemented a new service called 'httpCommunicateService'. Every add-on that makes HTTP requests to the Sisense API should use the 'httpCommunicateService' service when CSRF Protection is enabled. This service lets you make requests to the server with updated headers. Below are several examples of how you can use the service in your add-ons.

Add to your add-on one of the files httpCommunicate service (three versions are attached: as angular service ES5, as angular service ES6, and pure js ES6 way).

For Angular

  1. Download the relevant file and include it with your add-on:

    • Angular ES5
    • Angular ES6
  2. Import the file with the following command:

    ES5

    import { httpCommunicate } from './httpCommunicate.6';

    ES6

    import { httpCommunicate } from './httpCommunicate.5';

    In your add-on, you can create an object, for example:

    const config = { url: '/api/groups', method: 'GET', data: {} };

    and then use the object in functions:

    httpCommunicate(config);

    or as an Angular service:

    $httpCommunicateService.httpCommunicate(config);

For JavaScript

  1. Download the relevant file and include it with your add-on:

  2. Import the file with the following command:

    import { httpCommunicate } from './httpCommunicate.5';

    In your add-on, you can create an object, for example:

    const config = {type:"GET", url: '/api/groups', data: {},success: (data) => {}, error: (err) => {} };

    and then use the object in functions:

    $httpCommunicateService.httpCommunicate(config, true);

    or as an Angular service:

    httpCommunicate(config, true);

.r.