Allow Baseline scan to ignore forms that dont need CSRF Tokens

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: psiinon, Assigned: psiinon)

Tracking

(Blocks 1 bug)

Production

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

a year ago
The Foxsec baseline scan checks for a set of security controls that we require for all of our services.

Bugzilla is currently failing the baseline due to the lack of CSRF tokens on some of its forms.
The forms in question look like they are ‘safe’ and do not actually require CSRF tokens, but we dont want to ignore all forms as we could then miss those that should have them.
While we can whitelist forms is they have 'name' or 'id' attributes, the approach we've taken with other sites (such as AMO) is to add a custom "data-no-csrf" attribute. This can then be used by developers to flag that the relevant forms do not need CSRF tokens and is detected in the baseline scan.
(Assignee)

Comment 2

a year ago
PR merged, and now no CSRF issues flagged on https://bugzilla-dev.allizom.org/ :)
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.