Closed
Bug 646994
Opened 14 years ago
Closed 14 years ago
Audit POST requests to verify they need to be POST
Categories
(addons.mozilla.org Graveyard :: Add-on Builder, defect, P2)
addons.mozilla.org Graveyard
Add-on Builder
Tracking
(Not tracked)
VERIFIED
FIXED
Builder 0.9.3
People
(Reporter: clouserw, Assigned: smcarthur)
Details
We ran into an issue today when we found out that there are many POST requests hitting builder that are just requesting data. POST should be used for authenticated users to change data* and GET would be more appropriate for the requests looking for data. We'll avoid CSRF problems, it's correct according to best practices, and it gives us better control over caching.
If caching the GET requests are a concern (like, you're polling for a change) we should either be using the @never_cache decorator or, if it's an image or something, using a nonce in the URL.
When this bug is closed this commit should be backed out: https://github.com/mozilla/FlightDeck/commit/47127ce3fdd3098b142ad1329e36002dee5d1997
* There are legitimate reasons why an unauthenticated user should be POSTing data, but they are very rare and should be the exception and not the rule.
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → smcarthur
Assignee | ||
Comment 1•14 years ago
|
||
most of them have been audited here https://github.com/mozilla/FlightDeck/commit/1be522dac0dc5e0e5a7162801284bcb93f4a9f00
A couple for Test/Download still use POST for the hashtag, unsure if they need to, and could instead do something like /xpi/test/hashtag.
Comment 2•14 years ago
|
||
I think it can be done - with @never_cache understood by the browser it will work well.
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
Updated•10 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•