Closed
Bug 698427
Opened 13 years ago
Closed 5 years ago
use django-session-csrf
Categories
(developer.mozilla.org Graveyard :: Wiki pages, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: groovecoder, Unassigned)
References
Details
See bug 649520
Reporter | ||
Updated•13 years ago
|
Whiteboard: u=user c=security p= → u=user c=security p=2
Updated•13 years ago
|
Assignee: nobody → jbennett
Reporter | ||
Updated•13 years ago
|
Target Milestone: 1.6 → 1.7
Reporter | ||
Updated•13 years ago
|
Target Milestone: 1.7 → ---
Comment 1•13 years ago
|
||
There's a conflict here, in that some of our existing code relies on django.utils.thread_support, which doesn't exist *after* Django 1.2, but django-session-csrf requires django.utils.crypto which doesn't exist *before* Django 1.3. So there's currently no way for us to integrate this.
What we probably want is a bug for migrating to Django 1.3+, and have that be a blocker for this one; once that part's sorted out, switching to the session CSRF middleware is easy (and see the branch named for this bug in my repo for the code).
Updated•13 years ago
|
Target Milestone: --- → 2.3
Reporter | ||
Updated•13 years ago
|
Target Milestone: 2.3 → ---
Assignee | ||
Updated•12 years ago
|
Version: MDN → unspecified
Assignee | ||
Updated•12 years ago
|
Component: Website → Landing pages
Updated•12 years ago
|
Whiteboard: u=user c=security p=2 → u=user c=security specifications
Updated•12 years ago
|
Priority: -- → P1
Whiteboard: u=user c=security specifications → [specification-like][type:feature]
Updated•12 years ago
|
Assignee: jbennett → nobody
Updated•12 years ago
|
Whiteboard: [specification-like][type:feature] → [type:feature]
Updated•12 years ago
|
Priority: P1 → P2
Updated•11 years ago
|
Assignee: nobody → jbennett
Comment 2•11 years ago
|
||
One hangup of django-session-csrf is that it requires some effort to CSRF-protect anything that a non-logged-in user would do. So far as I can tell, in kuma that only happens in two places: user signup, and user login. Which means we have a couple options:
1. We could just turn off CSRF protection for those views. I don't know what the security implications of that would be.
2. We can CSRF-protect them, but doing so requires us to make sure we are (and I'm pretty sure we are) set up to handle that with respect to the cache requirements for it.
Reporter | ||
Comment 3•11 years ago
|
||
We should CSRF protect sign-in - we use it to change the email address for accounts.
Updated•11 years ago
|
Severity: normal → enhancement
Priority: P2 → --
Comment 4•11 years ago
|
||
Bug 789016 blocks several contributors from MDN. Requiring a referer is a HTTP specification violation (see mentioned bug for references). Thus, this is a serious bug, not just a "nice to have" feature.
Severity: enhancement → normal
Whiteboard: [type:feature]
Comment 5•11 years ago
|
||
(In reply to Ben Bucksch (:BenB) from comment #4)
> Bug 789016 blocks several contributors from MDN. Requiring a referer is a
> HTTP specification violation (see mentioned bug for references). Thus, this
> is a serious bug, not just a "nice to have" feature.
+1
Is upgrading to django-session-csrf on the roadmap?
Updated•9 years ago
|
Assignee: jbennett → nobody
Comment 6•9 years ago
|
||
Is there any way to increase the priority of this bug? We shouldn't require users to turn referrers on and decrease their privacy in order to contribute to MDN. Browsers don't have a per origin referrer value override, so re-enabling referrers on MDN means re-enabling referrers everywhere.
Comment 7•5 years ago
|
||
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Updated•5 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•