On 07/06/2011 04:54 AM, Alex Busenius wrote: > Hi, > > On 07/06/2011 06:43 AM, Sergiu Dumitriu wrote: >> On 07/05/2011 07:20 PM, Alex Busenius wrote: >>> Hello devs, >>> >>> >>> I'd like to enable CSRF protection by default at least until 3.2-RC1 for >>> testing purposes. >>> >>> The CSRF protection mechanism as been added in 2.5, but is still >>> disabled by default, because many functional tests used to fail with >>> CSRF protection (false positives). I have fixed the tests to work with >>> CSRF protection, so we can try to enable it and test on a larger scale, >>> maybe even on myxwiki.org (with RC1). >>> >>> If no critical bugs will be found during the testing, I'll call a vote >>> to let it enabled in 3.2 final. >>> >>> >>> Implementation note: Enabled CSRF protection puts some restrictions on >>> possible requests that should be respected by the tests. For example, it >>> is not possible to construct a request that logs-in as admin and deletes >>> a page using xredirect, something that is used in UI tests for speedup. >>> We might want to refactor the test utils a bit to discourage doing such >>> things. >>> >> >> Well, tests should only do what a human would do, which is clicking on >> elements in the page. URL manipulation should only be used when really >> needed. >> > Yes, sure, I meant URL manipulation used to set up things quickly, for > example creating a page to test whether attachment UI works.
IMO if a test is not testing the functionality of a given element then it should not be clicking on it. I have fixed numerous flickers by replacing the UI navigation with simple URL manipulation. It makes the test much faster and less apt to flicker. Caleb > > > Alex > >>> Commits: >>> * Branch enabling the protection by default >>> https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection >>> * Branch with fixes for functional tests >>> https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection >>> >>> Bugs: >>> http://jira.xwiki.org/jira/browse/XWIKI-6773 >>> http://jira.xwiki.org/jira/browse/XWIKI-5465 >>> >>> >>> Here is my +1 >>> >>> WDYT? >> >> +1 as well. >> > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
