Closed
Bug 1446431
Opened 6 years ago
Closed 6 years ago
Allow Baseline scan to ignore forms that dont need CSRF Tokens
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
RESOLVED
FIXED
People
(Reporter: psiinon, Assigned: psiinon)
Details
The Foxsec baseline scan checks for a set of security controls that we require for all of our services. Bugzilla is currently failing the baseline due to the lack of CSRF tokens on some of its forms. The forms in question look like they are ‘safe’ and do not actually require CSRF tokens, but we dont want to ignore all forms as we could then miss those that should have them. While we can whitelist forms is they have 'name' or 'id' attributes, the approach we've taken with other sites (such as AMO) is to add a custom "data-no-csrf" attribute. This can then be used by developers to flag that the relevant forms do not need CSRF tokens and is detected in the baseline scan.
Assignee | ||
Comment 1•6 years ago
|
||
PR here: https://github.com/mozilla-bteam/bmo/pull/515
Assignee | ||
Comment 2•6 years ago
|
||
PR merged, and now no CSRF issues flagged on https://bugzilla-dev.allizom.org/ :)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•