On 10/05/2011 05:02 PM, Alex Busenius wrote:
Hello devs,
As you know, the 3.2 branch currently has CSRF protection enabled by
default for testing purposes. The tests are working fine with it since
a couple of months now, and there were only some non-critical bugs found
and fixed during that time.
The only currently unresolved problem I'm aware of right now is
http://jira.xwiki.org/browse/XWIKI-6784
I have some quick test for it locally, but I had very little time
recently to clean it up and commit.
The 3.2-M* and 3.2-rc* releases have the CSRF protection enabled and
have been tested on
myxwiki.org without big problems.
CSRF protection is important security improvement and we should
encourage users to enable it. Nevertheless, enabling it by default is a
potentially dangerous change, since it will expose problems with
not-CSRF protection aware third party extensions after the update, and
therefore needs to be voted about.
Related bugs (fixed):
http://jira.xwiki.org/browse/XWIKI-4873
http://jira.xwiki.org/browse/XWIKI-6773
Here is my +1 for leaving it enabled.
WDYT?
I think it's quite an important change that could break a lot of (user)
applications. Still, this change must happen at some point, and we
already had the feature in an experimental state for quite a while
(since 2.5, a year ago).
+1 for leaving it enabled.
I agree with this. +1 too provided we clearly explain it in the Release notes and explain
how do turn if off for users upgrading and having problems (with a warning on security for
public sites).
Thanks
-Vincent