Closed
Bug 1539936
Opened 6 years ago
Closed 6 years ago
Disable CSRF checks on Normandy Server
Categories
(Firefox :: Normandy Server, enhancement)
Firefox
Normandy Server
Tracking
()
RESOLVED
FIXED
People
(Reporter: rehandalal+mozilla, Unassigned)
Details
In the past CSRF was important because we used cookie-based authentication and the server provided a UI for users. At this point Normandy uses stateless authentication via Auth0 and is purely an API server. It doesn't seem like there is still value to performing CSRF checks and it results in a lot of extra work when developing clients that consume these APIs.
@ulfr can you see any serious security issues with removing the CSRF checks altogether?
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(jvehent)
Comment 1•6 years ago
|
||
We discussed this internally and we're fine removing CSRF protections when not using cookies. I'm updating our checklist to reflect this: https://github.com/mozilla-services/websec-check/pull/8
Flags: needinfo?(jvehent)
Reporter | ||
Comment 2•6 years ago
|
||
Thanks ulfr!
I've add a new issue to the repo: https://github.com/mozilla/normandy/issues/1835
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•