Re: [xwiki-devs] [VOTE] Leave CSRF protection enabled by default in 3.2 final

Hello devs, As you know, the 3.2 branch currently has CSRF protection enabled by default for testing purposes. The tests are working fine with it since a couple of months now, and there were only some non-critical bugs found and fixed during that time. The only currently unresolved problem I'm aware of right now is http://jira.xwiki.org/browse/XWIKI-6784 I have some quick test for it locally, but I had very little time recently to clean it up and commit. The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and have been tested on myxwiki.org without big problems. CSRF protection is important security improvement and we should encourage users to enable it. Nevertheless, enabling it by default is a potentially dangerous change, since it will expose problems with not-CSRF protection aware third party extensions after the update, and therefore needs to be voted about. Related bugs (fixed): http://jira.xwiki.org/browse/XWIKI-4873 http://jira.xwiki.org/browse/XWIKI-6773 Here is my +1 for leaving it enabled. WDYT?