Can you remove it from GET forms (one example is ticket search box). It's not needed there (CSRF is just for POSTs which change state) and it clutters the URL in the resulting address bar pretty bad.
--- ** [tickets:#5475] Move CSRF token insertion from JS to easywidgets** **Status:** in-progress **Labels:** p3 support 42cc **Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen **Last Updated:** Mon Nov 11, 2013 10:50 PM UTC **Owner:** nobody Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. AJAX forms can stay as-is, they use JS already anyway. --- Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
