+1
On Wed, Jul 6, 2011 at 01:20, Alex Busenius
<alex.busenius(a)googlemail.com> wrote:
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on
myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
Thanks,
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs