Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15252

Why is "Prevent Cross Site Request Forgery exploits" disabled by default?

    Details

    • Similar Issues:

      Description

      1. It's not clear why "Prevent Cross Site Request Forgery exploits" is disabled by default.
      2. The help needs to explain the downside of enabling this feature, if any.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment - - edited

            Would this be sufficient?

            Some Jenkins features (like the REST API) are more difficult to use when this
            option is enabled. Some features, especially in plugins not tested with this
            option enabled, may not work at all. Some reverse proxies may filter the "crumb"
            parameter, resulting in failures when trying to use certain actions.

            Show
            danielbeck Daniel Beck added a comment - - edited Would this be sufficient? Some Jenkins features (like the REST API) are more difficult to use when this option is enabled. Some features, especially in plugins not tested with this option enabled, may not work at all. Some reverse proxies may filter the "crumb" parameter, resulting in failures when trying to use certain actions.
            Hide
            cowwoc cowwoc added a comment -

            That sounds okay to me.

            Show
            cowwoc cowwoc added a comment - That sounds okay to me.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html
            http://jenkins-ci.org/commit/jenkins/16509dc22c7129f64c6c2668779b71de819912cf
            Log:
            [FIXED JENKINS-15252] Explain problems with CSRF protection

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html http://jenkins-ci.org/commit/jenkins/16509dc22c7129f64c6c2668779b71de819912cf Log: [FIXED JENKINS-15252] Explain problems with CSRF protection
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html
            http://jenkins-ci.org/commit/jenkins/8e0b87c0ace41478dce790eceb18019d32371242
            Log:
            Merge pull request #1438 from daniel-beck/JENKINS-15252

            [FIXED JENKINS-15252] Explain problems with CSRF protection

            Compare: https://github.com/jenkinsci/jenkins/compare/6ee4d4a92757...8e0b87c0ace4

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html http://jenkins-ci.org/commit/jenkins/8e0b87c0ace41478dce790eceb18019d32371242 Log: Merge pull request #1438 from daniel-beck/ JENKINS-15252 [FIXED JENKINS-15252] Explain problems with CSRF protection Compare: https://github.com/jenkinsci/jenkins/compare/6ee4d4a92757...8e0b87c0ace4
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3779
            [FIXED JENKINS-15252] Explain problems with CSRF protection (Revision 16509dc22c7129f64c6c2668779b71de819912cf)

            Result = SUCCESS
            daniel-beck : 16509dc22c7129f64c6c2668779b71de819912cf
            Files :

            • core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3779 [FIXED JENKINS-15252] Explain problems with CSRF protection (Revision 16509dc22c7129f64c6c2668779b71de819912cf) Result = SUCCESS daniel-beck : 16509dc22c7129f64c6c2668779b71de819912cf Files : core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/help-csrf.html

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                cowwoc cowwoc
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: