You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <br...@users.sf.net> on 2013/10/31 20:17:08 UTC

[allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets

- **summary**: Provide non-javascript fallback behavior --> Move CSRF token insertion from JS to easywidgets
- Description has changed:

Diff:

~~~~

--- old
+++ new
@@ -1,3 +1,5 @@
-Site functions should continue to work with Javascript disabled.
+Standard forms across on Allura have a `_session_id` field inserted by JS.  AJAX forms insert it themselves.  This is for CSRF protection.
 
-Ref: [forge:site-support:#2017]
+For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side.  The `ForgeForm` class seems like a useful place to do this.  Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template.  A one-line macro seems like a good way to handle that.
+
+AJAX forms can stay as-is, they use JS already anyway.

~~~~




---

** [tickets:#5475] Move CSRF token insertion from JS to easywidgets**

**Status:** open
**Labels:** support p3 
**Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
**Last Updated:** Wed Apr 24, 2013 01:18 PM UTC
**Owner:** nobody

Standard forms across on Allura have a `_session_id` field inserted by JS.  AJAX forms insert it themselves.  This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side.  The `ForgeForm` class seems like a useful place to do this.  Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template.  A one-line macro seems like a good way to handle that.

AJAX forms can stay as-is, they use JS already anyway.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.