[jira] [Commented] (STORM-749) Remove CSRF check from rest API

ASF GitHub Bot (JIRA) Thu, 02 Apr 2015 21:48:56 -0700

    [ 
https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14394054#comment-14394054
 ]


ASF GitHub Bot commented on STORM-749:
--------------------------------------

Github user HeartSaVioR commented on the pull request:

    https://github.com/apache/storm/pull/502#issuecomment-89161672
  
    LGTM.
    Maybe it would be better to remove "antiForgeryToken" from 
/api/v1/topology/:id's sample json.


> Remove CSRF check from rest API
> -------------------------------
>
>                 Key: STORM-749
>                 URL: https://issues.apache.org/jira/browse/STORM-749
>             Project: Apache Storm
>          Issue Type: Task
>    Affects Versions: 0.9.3
>            Reporter: Parth Brahmbhatt
>            Assignee: Parth Brahmbhatt
>             Fix For: 0.10.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is 
> only exposed when websites use session based authentication. In our case we 
> only use http authentication so we are not really vulnerable to CSRF attacks. 
> Currently the CSRF check only hinders non browser clients.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (STORM-749) Remove CSRF check from rest API

Reply via email to