Closed Bug 666630 Opened 10 years ago Closed 10 years ago

Redirect anonymous users to login page on loading validation results


( Graveyard :: Developer Pages, defect)

Not set


(Not tracked)



(Reporter: krupa.mozbugs, Assigned: andy+bugzilla)




(Whiteboard: [patch][needs review])


(1 file)

steps to reproduce:
1. User is *not* logged-in.
2. Load

expected behavior:
User is redirected to the log in page

actual behavior:
Page is a 403 and shows 'Internal server error'
The 403 error is due to a CSRF validation failure to

Normally I would say that CSRF protection isn't needed on read-only pages. However there are cross-domain attacks that source json blobs, e.g. a malicious page would include something like
<script src="">
then an attacker would modify JS object handlers to read the data.

The normal mitigation to this type of attack is to prefix the blob to prevent the JS interpreter from evaluating the object e.g.
while();//REST OF DATA
The clientside code would then strip out the "while();//" from the XHR response.

Since the CSRF token checking is preventing the attack right now... probably no reason to change it. I did notice that other views in the file are marked @csrf_view_exempt

As for the login issue, the supplied patch should fix it
Target Milestone: 6.1.3 → 6.1.4
Andy, can you review dchan's patch?
Assignee: nobody → dchan
Whiteboard: [patch][needs review]
It's a holiday in Canada.  kicking to next week.
Target Milestone: 6.1.4 → 6.1.5
Assignee: dchan → amckay
Target Milestone: 6.1.5 → 6.1.6
Comment on attachment 541424 [details] [diff] [review]
require login to view validation results

Review of attachment 541424 [details] [diff] [review]:
Attachment #541424 - Flags: review+

Thanks dchan.
Closed: 10 years ago
Resolution: --- → FIXED
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.