Hi, On 07/06/2011 06:43 AM, Sergiu Dumitriu wrote: > On 07/05/2011 07:20 PM, Alex Busenius wrote: >> Hello devs, >> >> >> I'd like to enable CSRF protection by default at least until 3.2-RC1 for >> testing purposes. >> >> The CSRF protection mechanism as been added in 2.5, but is still >> disabled by default, because many functional tests used to fail with >> CSRF protection (false positives). I have fixed the tests to work with >> CSRF protection, so we can try to enable it and test on a larger scale, >> maybe even on myxwiki.org (with RC1). >> >> If no critical bugs will be found during the testing, I'll call a vote >> to let it enabled in 3.2 final. >> >> >> Implementation note: Enabled CSRF protection puts some restrictions on >> possible requests that should be respected by the tests. For example, it >> is not possible to construct a request that logs-in as admin and deletes >> a page using xredirect, something that is used in UI tests for speedup. >> We might want to refactor the test utils a bit to discourage doing such >> things. >> > > Well, tests should only do what a human would do, which is clicking on > elements in the page. URL manipulation should only be used when really > needed. > Yes, sure, I meant URL manipulation used to set up things quickly, for example creating a page to test whether attachment UI works.
Alex >> Commits: >> * Branch enabling the protection by default >> https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection >> * Branch with fixes for functional tests >> https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection >> >> Bugs: >> http://jira.xwiki.org/jira/browse/XWIKI-6773 >> http://jira.xwiki.org/jira/browse/XWIKI-5465 >> >> >> Here is my +1 >> >> WDYT? > > +1 as well. > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
