Recently I came across interesting error ” _vti_bin/client.svc/ProcessQuery 403 Forbidden” while making CSOM API call during on load of SharePoint 2013 publishing page article in edit mode. Our logic was simple – make CSOM API calls whenever Publishing Page is in Edit mode during on load of the article. As we started narrowing down the issue, we noticed the pattern – If you edit the page which was in publish mode but not checked out, page errors out in edit mode. If you edit the page which was checked out, it works correctly.
Based on the error, it was quite noticeable that this must be related to FormDigest Control. Those of you not aware, FormDigest control keeps security validation token for CSOM API calls. SharePoint validates client user requests using FormDigest control and making all the client side CSOM or REST API calls requires valid FormDigest value to ensure requests came from same client.
Since we were using Custom Master Page, my first solution was to ensure FormDigest control exists in our master page. All the Out of box SharePoint master pages adds FormDigest control automatically but I wanted to make sure FormDigest control exists in our custom master page. Upon checking master page, FormDigest control was indeed added through our custom master page.
At this stage, I knew I am in unknown territory and it would be much harder to trace down the real problem. Since FormDigest control was already available in our Custom master page, my initial instinct was to look at FormDigest value in Publish and Check Out mode. Since page edit worked fine if page is already checked out and didn’t work if page was in publish mode, I wanted to see if FormDigest control was invalid in publish mode causing CSOM API errors. Upon looking at page source, indeed, that was the case. We had invalid FormDigest value in publish mode and valid FormDigest value in page checked out mode.
Article in Publish Mode, Invalid FormDigest Token =>
Article in Check out or Edit Mode, Valid FormDigest Token =>
Apparently, it seems like this problem has been introduced in March 2013 PU for both SharePoint 2010 and SharePoint 2013. According to this MSDN forum, March PU introduced the logic of invalidating FormDigest control on publishing pages in Publish mode. FormDigest works fine in Edit or Page Check out mode with valid security token but invalidates in Publish mode. That’s the reason when we edited our news articles from publish mode (without checking out) thrown CSOM API forbidden errors.
To ensure, this issue is not introduced in our custom publishing page layouts, we have also verified that OOB Publishing pages have similar issues with invalid FormDigest security token (http://intranet.niks.local/news/pages/default.aspx) but wiki pages worked fine with valid security token (http://intranet.niks.local/sites/cthub/SitePages/Home.aspx). Additionally, we have verified that our Custom Publishing Page Layouts worked fine in RTM with valid FormDigest token in both Publish and Checked out mode.
Resolution => Upgrade to June 2013 CU or August 2013 CU => As MSDN forum suggests, this issue seems to have been introduced into the product in the March 2013 CU for both SharePoint 2010 and SharePoint 2013. People have reported that June 2013 CU has fixed this issue for both SharePoint 2013 and SharePoint 2010. To validate these reports, we have upgraded our environment to August 2013 CU (latest stable release) and I am happy to announce that it has fixed FormDigest invalidity issues. I was able to edit our news articles from both publishing or checked out mode without any 403 Forbidden errors.