[xwiki-devs] [proposal] Enable CSRF protection by default during the testing phase of 3.2
6 Jul
2011
6 Jul
'11
1:20 a.m.
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
Thanks,
Alex
6 Jul
6 Jul
6:43 a.m.
On 07/05/2011 07:20 PM, Alex Busenius wrote:
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Well, tests should only do what a human would do, which is clicking on
elements in the page. URL manipulation should only be used when really
needed.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
+1 as well.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
10:54 a.m.
Hi,
On 07/06/2011 06:43 AM, Sergiu Dumitriu wrote:
On 07/05/2011 07:20 PM, Alex Busenius wrote:
Yes, sure, I meant URL manipulation used to set up things quickly, for
example creating a page to test whether attachment UI works.
Alex
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Well, tests should only do what a human would do, which is clicking on
elements in the page. URL manipulation should only be used when really
needed.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
+1 as well.
7 Jul
7 Jul
10:56 p.m.
On 07/06/2011 04:54 AM, Alex Busenius wrote:
Hi,
On 07/06/2011 06:43 AM, Sergiu Dumitriu wrote:
IMO if a test is not testing the functionality of a given element then it should not be
clicking on it.
I have fixed numerous flickers by replacing the UI navigation with simple URL
manipulation.
It makes the test much faster and less apt to flicker.
Caleb
On 07/05/2011 07:20 PM, Alex Busenius wrote:
Yes, sure, I meant URL manipulation used to set up things quickly, for
example creating a page to test whether attachment UI works. Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Well, tests should only do what a human would do, which is clicking on
elements in the page. URL manipulation should only be used when really
needed.
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
+1 as well.
8 Jul
8 Jul
10:33 a.m.
On Thu, Jul 7, 2011 at 10:56 PM, Caleb James DeLisle <
calebdelisle(a)lavabit.com> wrote:
On 07/06/2011 04:54 AM, Alex Busenius wrote:
Yes, sure, I meant URL manipulation used to set up things quickly, for
example creating a page to test whether attachment UI works.
IMO if a test is not testing the functionality of a given element then it
should not be clicking on it.
I have fixed numerous flickers by replacing the UI navigation with simple
URL manipulation.
It makes the test much faster and less apt to flicker.
Yes that should be (I though it was already) the rule to use tools provided
by TestUtils or add more instead of using UI framework when the purpose of
the test is not to test that particular UI you are using (adding object you
need, creating users, etc.). Also some part of TestUtils could be
implemented using REST which would make them even quicker.
Hi,
On 07/06/2011 06:43 AM, Sergiu Dumitriu wrote:
> On 07/05/2011 07:20 PM, Alex Busenius wrote:
>> Hello devs,
>>
>>
>> I'd like to enable CSRF protection by default at least until 3.2-RC1
for
>> testing purposes.
>>
>> The CSRF protection mechanism as been added in 2.5, but is still
>> disabled by default, because many functional tests used to fail with
>> CSRF protection (false positives). I have fixed the tests to work with
>> CSRF protection, so we can try to enable it and test on a larger scale,
>> maybe even on myxwiki.org (with RC1).
>>
>> If no critical bugs will be found during the testing, I'll call a vote
>> to let it enabled in 3.2 final.
>>
>>
>> Implementation note: Enabled CSRF protection puts some restrictions on
>> possible requests that should be respected by the tests. For example,
it
>> is not possible to construct a request
that logs-in as admin and
deletes
a page using xredirect, something that is used in UI
tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Well, tests should only do what a human would do, which is clicking on
elements in the page. URL manipulation should only be used when really
needed.
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Alex
>> Commits:
>> * Branch enabling the protection by default
>>
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
>> * Branch with fixes for functional tests
>>
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
+1 as well.
6 Jul
6 Jul
8:34 a.m.
+1
Thanks,
Marius
On 07/06/2011 02:20 AM, Alex Busenius wrote:
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
Thanks,
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
11:11 a.m.
+1
On Wed, Jul 6, 2011 at 01:20, Alex Busenius
<alex.busenius(a)googlemail.com> wrote:
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
Thanks,
Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
7 Jul
7 Jul
2:52 p.m.
Merged to master.
Regards,
Alex
On 07/06/2011 01:20 AM, Alex Busenius wrote:
Hello devs,
I'd like to enable CSRF protection by default at least until 3.2-RC1 for
testing purposes.
The CSRF protection mechanism as been added in 2.5, but is still
disabled by default, because many functional tests used to fail with
CSRF protection (false positives). I have fixed the tests to work with
CSRF protection, so we can try to enable it and test on a larger scale,
maybe even on myxwiki.org (with RC1).
If no critical bugs will be found during the testing, I'll call a vote
to let it enabled in 3.2 final.
Implementation note: Enabled CSRF protection puts some restrictions on
possible requests that should be respected by the tests. For example, it
is not possible to construct a request that logs-in as admin and deletes
a page using xredirect, something that is used in UI tests for speedup.
We might want to refactor the test utils a bit to discourage doing such
things.
Commits:
* Branch enabling the protection by default
https://github.com/xwiki/xwiki-platform/tree/enabled-csrf-protection
* Branch with fixes for functional tests
https://github.com/xwiki/xwiki-enterprise/tree/enabled-csrf-protection
Bugs:
http://jira.xwiki.org/jira/browse/XWIKI-6773
http://jira.xwiki.org/jira/browse/XWIKI-5465
Here is my +1
WDYT?
Thanks,
Alex
4872
days inactive
4875
days old
7 comments
5 participants
participants (5)
-
Alex Busenius -
Caleb James DeLisle -
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne