Closed Bug 1539936 Opened 6 years ago Closed 6 years ago

Disable CSRF checks on Normandy Server

Categories

(Firefox :: Normandy Server, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: rehandalal+mozilla, Unassigned)

Details

In the past CSRF was important because we used cookie-based authentication and the server provided a UI for users. At this point Normandy uses stateless authentication via Auth0 and is purely an API server. It doesn't seem like there is still value to performing CSRF checks and it results in a lot of extra work when developing clients that consume these APIs.

@ulfr can you see any serious security issues with removing the CSRF checks altogether?

Flags: needinfo?(jvehent)

We discussed this internally and we're fine removing CSRF protections when not using cookies. I'm updating our checklist to reflect this: https://github.com/mozilla-services/websec-check/pull/8

Flags: needinfo?(jvehent)

Thanks ulfr!

I've add a new issue to the repo: https://github.com/mozilla/normandy/issues/1835

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.