+0
On Wed, Oct 5, 2011 at 11:02 PM, Alex Busenius
<alex.busenius(a)googlemail.com> wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on
myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
Thanks
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs