On 07/05/2011 07:20 PM, Alex Busenius wrote: > Hello devs, > > > I'd like to enable CSRF protection by default at least until 3.2-RC1 for > testing purposes. > > The CSRF protection mechanism as been added in 2.5, but is still > disabled by default, because many functional tests used to fail with > CSRF protection (false positives). I have fixed the tests to work with > CSRF protection, so we can try to enable it and test on a larger scale, > maybe even on myxwiki.org (with RC1). > > If no critical bugs will be found during the testing, I'll call a vote > to let it enabled in 3.2 final. > > > Implementation note: Enabled CSRF protection puts some restrictions on > possible requests that should be respected by the tests. For example, it > is not possible to construct a request that logs-in as admin and deletes > a page using xredirect, something that is used in UI tests for speedup. > We might want to refactor the test utils a bit to discourage doing such > things. >
Well, tests should only do what a human would do, which is clicking on elements in the page. URL manipulation should only be used when really needed. > Commits: > * Branch enabling the protection by default > https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection > * Branch with fixes for functional tests > https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection > > Bugs: > http://jira.xwiki.org/jira/browse/XWIKI-6773 > http://jira.xwiki.org/jira/browse/XWIKI-5465 > > > Here is my +1 > > WDYT? +1 as well. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
