h3. Problem
Watching or Stop watching a Confluence page and other operations (see below list of identified endpoints) will generate a request like the one below (copied as curl from HAR capture for convenience):
{code:java}
curl ‘https://confluence/rest/api/user/watch/content/9999999’
-X ‘DELETE’
-H ‘authority: k8s-55855.prod.atl-cd.net’
-H ‘accept: application/json, text/javascript, /; q=0.01’
-H ‘accept-language: en-GB,en-US;q=0.9,en;q=0.8’
-H ‘cache-control: no-cache’
-H ‘content-type: application/json’
-H ‘cookie: sanitised’
-H ‘origin: https://confluence’
-H ‘pragma: no-cache’
-H ‘referer: https://confluence/display/TROL/2023-12-01+Meeting+notes’
-H ‘sec-ch-ua: “Google Chrome”;v=“119”, “Chromium”;v=“119”, “Not?A_Brand”;v=“24”’
-H ‘sec-ch-ua-mobile: ?0’
-H ‘sec-ch-ua-platform: “macOS”’
-H ‘sec-fetch-dest: empty’
-H ‘sec-fetch-mode: cors’
-H ‘sec-fetch-site: same-origin’
-H ‘user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36’
-H ‘x-requested-with: XMLHttpRequest’
–data-raw ‘atl_token=12345abcdef67890abcdef’
–compressed
{code}
Although the {{content-type}} of this DELETE request is set to application/json the payload is plain text. To be a valid JSON should be set to {{{}“atl_token=12345abcdef67890abcdef”{}}}.
Request like the above can cause problem when there is a strict check of the compliance between the {{content-type}} and the payload, e.g. made by a firewall or other network equipments which perform packet inspections.
We should either change the {{content-type}} we set to include also {{text/plain}} or add double quotes around the atl_token=12345abcdef67890abcdef so that the JSON validation pass.
Endpoints reported as Affected
“Save for Later” (make favourite) a Page
{code:java}
Request URL: https://CONFLUENCE_HOME/confluence/rest/experimental/relation/user/current/favourite/toContent/<PAGE_ID>
{code}
Deselect a Page as Favourite
{code:java}
Request URL: https://CONFLUENCE_HOME/confluence/rest/experimental/relation/user/current/favourite/toContent/<PAGE_ID>
{code}
Discard an Unpublished Draft (Existing Page)
{code:java}
Request URL: https://CONFLUENCE_HOME/confluence/rest/synchrony/1.0/content/<PAGE_ID>/changes/unpublished
{code}
Delete a Draft (Never Published Page)
{code:java}
Request URL: https://CONFLUENCE_HOME/confluence/rest/api/content/<PAGE_ID>?status=draft
{code}
Delete a Link on the Side Bar
{code:java}
Request URL: https://CONFLUENCE_HOME/confluence/rest/ia/1.0/link/<LINK_ID>
{code}
h3. Workaround
Set an exception on the firewall to allow this incorrect requests.
CPE | Name | Operator | Version |
---|---|---|---|
confluence data center | le | 7.19.16 | |
confluence data center | le | 8.5.6 | |
confluence data center | le | 7.19.20 | |
confluence data center | le | 8.8.1 |