Closed Bug 646994 Opened 14 years ago Closed 14 years ago

Audit POST requests to verify they need to be POST

Categories

(addons.mozilla.org Graveyard :: Add-on Builder, defect, P2)

defect

Tracking

(Not tracked)

VERIFIED FIXED
Builder 0.9.3

People

(Reporter: clouserw, Assigned: smcarthur)

Details

We ran into an issue today when we found out that there are many POST requests hitting builder that are just requesting data. POST should be used for authenticated users to change data* and GET would be more appropriate for the requests looking for data. We'll avoid CSRF problems, it's correct according to best practices, and it gives us better control over caching. If caching the GET requests are a concern (like, you're polling for a change) we should either be using the @never_cache decorator or, if it's an image or something, using a nonce in the URL. When this bug is closed this commit should be backed out: https://github.com/mozilla/FlightDeck/commit/47127ce3fdd3098b142ad1329e36002dee5d1997 * There are legitimate reasons why an unauthenticated user should be POSTing data, but they are very rare and should be the exception and not the rule.
Assignee: nobody → smcarthur
most of them have been audited here https://github.com/mozilla/FlightDeck/commit/1be522dac0dc5e0e5a7162801284bcb93f4a9f00 A couple for Test/Download still use POST for the hashtag, unsure if they need to, and could instead do something like /xpi/test/hashtag.
I think it can be done - with @never_cache understood by the browser it will work well.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.