[
https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14394487#comment-14394487
]
Derek Dagit commented on STORM-749:
-----------------------------------
I am OK with removing this if it makes it too hard on the non-browser case.
Let's make sure we really remove all of it. This went into 0.10.0, which is on
its own branch now, so I think we should have a second pull request to
0.10.x-branch and remove it from there as well.
> Remove CSRF check from rest API
> -------------------------------
>
> Key: STORM-749
> URL: https://issues.apache.org/jira/browse/STORM-749
> Project: Apache Storm
> Issue Type: Task
> Affects Versions: 0.9.3
> Reporter: Parth Brahmbhatt
> Assignee: Parth Brahmbhatt
> Fix For: 0.10.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is
> only exposed when websites use session based authentication. In our case we
> only use http authentication so we are not really vulnerable to CSRF attacks.
> Currently the CSRF check only hinders non browser clients.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
