[
https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14394535#comment-14394535
]
ASF GitHub Bot commented on STORM-749:
--------------------------------------
Github user d2r commented on the pull request:
https://github.com/apache/storm/pull/502#issuecomment-89312662
> Maybe it would be better to remove "antiForgeryToken" from
/api/v1/topology/:id's sample json.
Yes, STORM-UI-REST-API.md line 379.
> Remove CSRF check from rest API
> -------------------------------
>
> Key: STORM-749
> URL: https://issues.apache.org/jira/browse/STORM-749
> Project: Apache Storm
> Issue Type: Task
> Affects Versions: 0.9.3
> Reporter: Parth Brahmbhatt
> Assignee: Parth Brahmbhatt
> Fix For: 0.10.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is
> only exposed when websites use session based authentication. In our case we
> only use http authentication so we are not really vulnerable to CSRF attacks.
> Currently the CSRF check only hinders non browser clients.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
