The Foxsec baseline scan checks for a set of security controls that we require for all of our services. Bugzilla is currently failing the baseline due to the lack of CSRF tokens on some of its forms. The forms in question look like they are ‘safe’ and do not actually require CSRF tokens, but we dont want to ignore all forms as we could then miss those that should have them. While we can whitelist forms is they have 'name' or 'id' attributes, the approach we've taken with other sites (such as AMO) is to add a custom "data-no-csrf" attribute. This can then be used by developers to flag that the relevant forms do not need CSRF tokens and is detected in the baseline scan.
PR merged, and now no CSRF issues flagged on https://bugzilla-dev.allizom.org/ :)
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.