+0 On Wed, Oct 5, 2011 at 11:02 PM, Alex Busenius <alex.busen...@googlemail.com> wrote: > Hello devs, > > > As you know, the 3.2 branch currently has CSRF protection enabled by > default for testing purposes. The tests are working fine with it since > a couple of months now, and there were only some non-critical bugs found > and fixed during that time. > > The only currently unresolved problem I'm aware of right now is > http://jira.xwiki.org/browse/XWIKI-6784 > I have some quick test for it locally, but I had very little time > recently to clean it up and commit. > > The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and > have been tested on myxwiki.org without big problems. > > > CSRF protection is important security improvement and we should > encourage users to enable it. Nevertheless, enabling it by default is a > potentially dangerous change, since it will expose problems with > not-CSRF protection aware third party extensions after the update, and > therefore needs to be voted about. > > > Related bugs (fixed): > http://jira.xwiki.org/browse/XWIKI-4873 > http://jira.xwiki.org/browse/XWIKI-6773 > > > Here is my +1 for leaving it enabled. > > > WDYT? > > > Thanks > Alex > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs >
-- Thomas Mortagne _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
