You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@storm.apache.org by "P. Taylor Goetz (JIRA)" <ji...@apache.org> on 2015/06/01 22:44:17 UTC

[jira] [Updated] (STORM-749) Remove CSRF check from rest API

     [ https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

P. Taylor Goetz updated STORM-749:
----------------------------------
    Fix Version/s:     (was: 0.11.0)

> Remove CSRF check from rest API
> -------------------------------
>
>                 Key: STORM-749
>                 URL: https://issues.apache.org/jira/browse/STORM-749
>             Project: Apache Storm
>          Issue Type: Task
>    Affects Versions: 0.9.3
>            Reporter: Parth Brahmbhatt
>            Assignee: Parth Brahmbhatt
>             Fix For: 0.10.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is only exposed when websites use session based authentication. In our case we only use http authentication so we are not really vulnerable to CSRF attacks. Currently the CSRF check only hinders non browser clients.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)