+1 On Wed, Jul 6, 2011 at 01:20, Alex Busenius <[email protected]> wrote: > Hello devs, > > > I'd like to enable CSRF protection by default at least until 3.2-RC1 for > testing purposes. > > The CSRF protection mechanism as been added in 2.5, but is still > disabled by default, because many functional tests used to fail with > CSRF protection (false positives). I have fixed the tests to work with > CSRF protection, so we can try to enable it and test on a larger scale, > maybe even on myxwiki.org (with RC1). > > If no critical bugs will be found during the testing, I'll call a vote > to let it enabled in 3.2 final. > > > Implementation note: Enabled CSRF protection puts some restrictions on > possible requests that should be respected by the tests. For example, it > is not possible to construct a request that logs-in as admin and deletes > a page using xredirect, something that is used in UI tests for speedup. > We might want to refactor the test utils a bit to discourage doing such > things. > > > Commits: > * Branch enabling the protection by default > https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection > * Branch with fixes for functional tests > https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection > > Bugs: > http://jira.xwiki.org/jira/browse/XWIKI-6773 > http://jira.xwiki.org/jira/browse/XWIKI-5465 > > > Here is my +1 > > WDYT? > > > Thanks, > Alex > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs >
-- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
