[JENKINS-15252] Why is "Prevent Cross Site Request Forgery exploits" disabled by default?

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: core
Labels:
- documentation

Similar Issues:
Powered by SuggestiMate

Show

It's not clear why "Prevent Cross Site Request Forgery exploits" is disabled by default.
The help needs to explain the downside of enabling this feature, if any.

links to

Daniel Beck added a comment - 2014-10-13 20:43 - edited

Would this be sufficient?

Some Jenkins features (like the REST API) are more difficult to use when this
option is enabled. Some features, especially in plugins not tested with this
option enabled, may not work at all. Some reverse proxies may filter the "crumb"
parameter, resulting in failures when trying to use certain actions.

Daniel Beck added a comment - 2014-10-13 20:43 - edited Would this be sufficient? Some Jenkins features (like the REST API) are more difficult to use when this option is enabled. Some features, especially in plugins not tested with this option enabled, may not work at all. Some reverse proxies may filter the "crumb" parameter, resulting in failures when trying to use certain actions.

cowwoc added a comment - 2014-10-13 22:15

That sounds okay to me.

cowwoc added a comment - 2014-10-13 22:15 That sounds okay to me.

SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html
http://jenkins-ci.org/commit/jenkins/16509dc22c7129f64c6c2668779b71de819912cf
Log:
[FIXED JENKINS-15252] Explain problems with CSRF protection

SCM/JIRA link daemon added a comment - 2014-10-27 05:02 Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html http://jenkins-ci.org/commit/jenkins/16509dc22c7129f64c6c2668779b71de819912cf Log: [FIXED JENKINS-15252] Explain problems with CSRF protection

SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Code changed in jenkins
User: Oleg Nenashev
Path:
core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html
http://jenkins-ci.org/commit/jenkins/8e0b87c0ace41478dce790eceb18019d32371242
Log:
Merge pull request #1438 from daniel-beck/~~JENKINS-15252~~

[FIXED JENKINS-15252] Explain problems with CSRF protection

Compare: https://github.com/jenkinsci/jenkins/compare/6ee4d4a92757...8e0b87c0ace4

SCM/JIRA link daemon added a comment - 2014-10-27 05:02 Code changed in jenkins User: Oleg Nenashev Path: core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html http://jenkins-ci.org/commit/jenkins/8e0b87c0ace41478dce790eceb18019d32371242 Log: Merge pull request #1438 from daniel-beck/ JENKINS-15252 [FIXED JENKINS-15252] Explain problems with CSRF protection Compare: https://github.com/jenkinsci/jenkins/compare/6ee4d4a92757...8e0b87c0ace4

dogfood added a comment - 2014-10-27 06:29

Integrated in jenkins_main_trunk #3779
[FIXED JENKINS-15252] Explain problems with CSRF protection (Revision 16509dc22c7129f64c6c2668779b71de819912cf)

Result = SUCCESS
daniel-beck : 16509dc22c7129f64c6c2668779b71de819912cf
Files :

core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html

dogfood added a comment - 2014-10-27 06:29 Integrated in jenkins_main_trunk #3779 [FIXED JENKINS-15252] Explain problems with CSRF protection (Revision 16509dc22c7129f64c6c2668779b71de819912cf) Result = SUCCESS daniel-beck : 16509dc22c7129f64c6c2668779b71de819912cf Files : core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html

Assignee:: Daniel Beck

Reporter:: cowwoc

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2012-09-20 14:14

Updated:: 2014-10-27 06:29

Resolved:: 2014-10-27 05:02

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Daniel Beck added a comment - 2014-10-13 20:43, Edited by Daniel Beck - 2014-10-13 20:44

Expand comment: Daniel Beck added a comment - 2014-10-13 20:43, Edited by Daniel Beck - 2014-10-13 20:44

Collapse comment: cowwoc added a comment - 2014-10-13 22:15

Expand comment: cowwoc added a comment - 2014-10-13 22:15

Collapse comment: SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Expand comment: SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Collapse comment: SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Expand comment: SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Collapse comment: dogfood added a comment - 2014-10-27 06:29

Expand comment: dogfood added a comment - 2014-10-27 06:29

People

Dates