When clicking the On-Demand button an error is thrown for IE but not for other browsers:
Status code:403 Forbidden
Response:"title": "Forbidden", "description": "REVEL_CSRF: token mismatch."
This only happens for a few customers, most customers have no trouble with IE. Instances of IE at Qlik work fine with NPrinting On-Demand.Environment:
- Qlik NPrinting all versions
R&D has coded this bug as a third party bug, thus we are unable to fix it. We have provided an entry in our September 2017 NPrinting release notes:
"On-Demand works for Chrome not for Internet Explorer"
Jira issue ID: OP-5908
The custom HTTP header X-XSRF-TOKEN must be added to match the value in the cookie to allow validation from the proxy.
The explanation from R&D:
The problem is not really the X-XSRF-TOKEN in this case, rather it is the “origin”-header in the request that is missing. This should be done automatically by the browser. Chrome, FF and most versions of IE complies. Why IE11 in some cases fails is not really clear, there are numerous suggestions but it all seems to boil down to how the environment is set up with security/policies, what version of IE11 you use and how IE is configured.
If the origin header is not present, NP will try to validate against XSRF and this is not present in the request since it should not be required. Adding the origin header manually seems tricky if possible at all since the header is not a custom one but one that the browser handles.
For more information on this topic:
With Qlik Sense the On-Demand solution depends on Windows Authentication to authenticate to NPrinting "on-the-fly" as the end user, in doing so it needs to use a CORS request. In order to achieve that it needs an Origin Header so it can be trusted with NPrinting.
1. Use Chrome instead of IE. If Chrome does not work, please try Firefox.
2. Another possible solution can be found in this Qlik Community post.
3a. Ultimately, it will be necessary to find out why Internet Explorer in the specific environment is not including the origin header. This is likely due to environment specific security policies. It has been found that at least one setting that prevents the Origin header from being added is the "Access data sources across domains" = Enabled. As a workaround Disable this setting.
3b. In order to use the "Enable" setting for Accessing Data Sources across domains the following actions are required:
- Navigate to the Internet Options per the image in the previous step and change the "Disable" option to "Enable" for "Access data sources across domains"
- When re-testing the On-Demand Reports you will see the "Server access blocked by server" message because it failed to provide an Origin
- In order to overcome this error setup a Reverse Proxy in-between Qlik Sense and Qlik NPrinting
- Set the RequestHeader to "Origin" "https://Server:Port" and ensure this is auto-applying no matter the scenario
- Add the Reverse Proxy to the Trusted Origins in the Qlik NPrinting WebConsole - Admin - Settings - On-Demand Settings
- Edit the On-Demand button in Qlik Sense to use the Reverse Proxy URL