Closed Bug 880890 Opened 12 years ago Closed 12 years ago

Implement CSRF protection for Thimble

Categories

(Webmaker Graveyard :: Thimble, defect)

Product:
Webmaker Graveyard
Component:
Thimble
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jon, Assigned: michiel)

Details

(Whiteboard: s=2013w24 p=1)

Attachments

(1 file)

https://github.com/mozilla/thimble.webmaker.org/pull/105
56 bytes, text/x-github-pull-request
mjschranz
: review+
Details | Review
Thimble-node needs CSRF protection now that it has user accounts.
No longer blocks: 880900
Whiteboard: s=2013w24 → s=2013w24 p=1
Severity: normal → blocker
Attachment #760449 - Flags: review?(jon)
Comment on attachment 760449 [details] [review] https://github.com/mozilla/thimble.webmaker.org/pull/105 Reassigning to Matt
Attachment #760449 - Flags: review?(jon) → review?(schranz.m)
Comment on attachment 760449 [details] [review] https://github.com/mozilla/thimble.webmaker.org/pull/105 I had a really minor nit. Other than that, I'm fairly confident in saying this is good to go. Locally SSO worked just fine. I don't know if there are any other spots in Thimble's code where we want to pass the CSRF token along but yeah. R+
Attachment #760449 - Flags: review?(schranz.m) → review+
There's only two places where we render html, and the second place is the (temporary) gallery page that we're not actually surfacing in the tool (it's there for administrative purposes atm). I'll fix the code based on your suggestion, then land it after Travis clears it.
landed.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: