[JENKINS-15252] Why is "Prevent Cross Site Request Forgery exploits" disabled by default?

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: core
Labels:
- documentation

Similar Issues:
Powered by SuggestiMate

Show

It's not clear why "Prevent Cross Site Request Forgery exploits" is disabled by default.
The help needs to explain the downside of enabling this feature, if any.

links to

PR 1438

cowwoc created issue - 2012-09-20 14:14

Jenkins IRC Bot made changes - 2014-09-27 15:41

Component/s		New: core [ 15593 ]
Component/s	Original: gui [ 15492 ]

Daniel Beck added a comment - 2014-10-13 20:43 - edited

Would this be sufficient?

Some Jenkins features (like the REST API) are more difficult to use when this
option is enabled. Some features, especially in plugins not tested with this
option enabled, may not work at all. Some reverse proxies may filter the "crumb"
parameter, resulting in failures when trying to use certain actions.

Daniel Beck added a comment - 2014-10-13 20:43 - edited Would this be sufficient? Some Jenkins features (like the REST API) are more difficult to use when this option is enabled. Some features, especially in plugins not tested with this option enabled, may not work at all. Some reverse proxies may filter the "crumb" parameter, resulting in failures when trying to use certain actions.

cowwoc added a comment - 2014-10-13 22:15

That sounds okay to me.

cowwoc added a comment - 2014-10-13 22:15 That sounds okay to me.

Daniel Beck made changes - 2014-10-13 22:29

Assignee

New: Daniel Beck [ danielbeck ]

Daniel Beck made changes - 2014-10-13 22:30

Labels		New: documentation
Priority	Original: Major [ 3 ]	New: Minor [ 4 ]

Daniel Beck made changes - 2014-10-24 13:05

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Daniel Beck made changes - 2014-10-24 13:05

Remote Link

New: This issue links to "PR 1438 (Web Link)" [ 11808 ]

SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html
http://jenkins-ci.org/commit/jenkins/16509dc22c7129f64c6c2668779b71de819912cf
Log:
[FIXED JENKINS-15252] Explain problems with CSRF protection

SCM/JIRA link daemon added a comment - 2014-10-27 05:02 Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html http://jenkins-ci.org/commit/jenkins/16509dc22c7129f64c6c2668779b71de819912cf Log: [FIXED JENKINS-15252] Explain problems with CSRF protection

SCM/JIRA link daemon made changes - 2014-10-27 05:02

Resolution		New: Fixed [ 1 ]
Status	Original: In Progress [ 3 ]	New: Resolved [ 5 ]

Assignee:: Daniel Beck

Reporter:: cowwoc

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2012-09-20 14:14

Updated:: 2014-10-27 06:29

Resolved:: 2014-10-27 05:02

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Daniel Beck added a comment - 2014-10-13 20:43, Edited by Daniel Beck - 2014-10-13 20:44

Expand comment: Daniel Beck added a comment - 2014-10-13 20:43, Edited by Daniel Beck - 2014-10-13 20:44

Collapse comment: cowwoc added a comment - 2014-10-13 22:15

Expand comment: cowwoc added a comment - 2014-10-13 22:15

Collapse comment: SCM/JIRA link daemon added a comment - 2014-10-27 05:02

Expand comment: SCM/JIRA link daemon added a comment - 2014-10-27 05:02

People

Dates