Closed Bug 1446431 Opened 6 years ago Closed 6 years ago

Allow Baseline scan to ignore forms that dont need CSRF Tokens

Categories

(bugzilla.mozilla.org :: General, enhancement)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: psiinon, Assigned: psiinon)

Details

The Foxsec baseline scan checks for a set of security controls that we require for all of our services.

Bugzilla is currently failing the baseline due to the lack of CSRF tokens on some of its forms.
The forms in question look like they are ‘safe’ and do not actually require CSRF tokens, but we dont want to ignore all forms as we could then miss those that should have them.
While we can whitelist forms is they have 'name' or 'id' attributes, the approach we've taken with other sites (such as AMO) is to add a custom "data-no-csrf" attribute. This can then be used by developers to flag that the relevant forms do not need CSRF tokens and is detected in the baseline scan.
PR merged, and now no CSRF issues flagged on https://bugzilla-dev.allizom.org/ :)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.