Hi, we've updated to version 9.12 from 9.4 (we will update to newer versions in following weeks), and when editing a document the Dojo UI stops working and the browser console shows this message: "Unable to load /EPiServer/cms/Stores/contentdata/1388457_1636022 status: 500".
Investigating I've found the issue is present in these 2 calls made by the Dojo UI:
/cms/Stores/contentversion/
/EPiServer/cms/Stores/inusenotification/
On the server side the exception is the following (I've replaced sensible data with *):
Cross-site request forgery detected [Client IP: 2.229.**.**, Referer: http://epistaging.**.it:81/EPiServer/Cms/, Url: http://epistaging.**.it:81/EPiServer/cms/Stores/contentversion/, User: IIS APPPOOL\appBeta.**.it]
System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.
in EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException()
in EPiServer.Shell.Services.Rest.RestHttpHandler.ValidateAntiForgeryToken(HttpContextBase httpContext)
in EPiServer.Shell.Services.Rest.RestHttpHandler.GetController(HttpContextBase httpContext)
in EPiServer.Shell.Services.Rest.RestHttpHandler.BeginProcessRequest(HttpContextBase context, AsyncCallback callback, Object extraData)
in EPiServer.Shell.Services.Rest.RestHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
in System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
in System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
in System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Notes:
- Please note that the Referer and the Url are the same, so it would not be a Cross-Site request.
- I've tried to disable the AntiForgeryValidation module in the Plug-in Manager but the excetpion still throws.
- On my development environment the error is not present and everything is ok. The issue is present only on staging environment which has nothing different from development enviroment except from the name of the domain (same configurations, they also connect to the same Db)
Any help is very welcomed
Thanks, Andrea