CSRF with WebDav

Nextcloud 13.0.2

I am trying to use WebDav in a JS App for an open source project, I am working on. The WebDav is just the backend stuff.

I am using the webdav js client in github sara-nl: https://github.com/sara-nl/js-webdav-client

I start by doing a PROPFIND

Here is all the info I have as of yet:

URL: (personal info has been scrubbed as best as I could)

Note: I am using a self-signed certificate.



<?xml version="1.0" encoding="utf-8" ?>

The propfind refuses to display correctly
< propfind xmlns=“DAV:” >< allprop />< /propfind >


<?xml version="1.0" encoding="utf-8"?>

<d:error xmlns:d=“DAV:” xmlns:s=“http://sabredav.org/ns”>
<s:message>CSRF check not passed.</s:message>

Request Headers:

Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 83
Content-Type: application/xml; charset=UTF-8
Cookie: nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; ociz8rn99eow=m78u7k2185548c183l2qo96fm5; oc_sessionPassphrase=ZbVwrnfeIYZtpGNnU79EJjcn40fTLVQYNYfH389n6o39fTzLjaqH%2BhmA1dwLK6pU5MEkjucAgC73Az6vrc9Agedt703N53PHBFpugQjaZmv7VQuthdNp9I4HfMS0N1Z0; nc_username=[username]; nc_token=eV%2BFq1jiA6EB1vnlaZw5D0cEtJ8EZVHy; nc_session_id=m78u7k2185548c183l2qo96fm5
Depth: 1
Host: [mynextcloud.tld:8008]
Pragma: no-cache
Referer: https://[mynextcloud.tld:8008]/webdavtest2/index.html
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0

Response Headers:

HTTP/1.1 401 Unauthorized
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 222
Content-Security-Policy: default-src ‘none’;
Content-Type: application/xml; charset=utf-8
Date: Fri, 27 Apr 2018 19:16:55 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.28
Strict-Transport-Security: max-age=63072000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Powered-By: PHP/7.0.28
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block

So I found this documentation:


Specifically saying I needed to add an oc_requesttoken header, but I do not seem to have one, there is no cookie that I can find in my browser with that value, I do not see it in the headers, where do I find that value?

Does Nextcloud need some form of authentication step before the first query? And I get that token on that step?

Or is there something else that I am ignorant of?