Return-Path: X-Original-To: apmail-incubator-allura-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-allura-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4F12610987 for ; Thu, 31 Oct 2013 19:17:33 +0000 (UTC) Received: (qmail 26343 invoked by uid 500); 31 Oct 2013 19:17:33 -0000 Delivered-To: apmail-incubator-allura-dev-archive@incubator.apache.org Received: (qmail 26323 invoked by uid 500); 31 Oct 2013 19:17:33 -0000 Mailing-List: contact allura-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: allura-dev@incubator.apache.org Delivered-To: mailing list allura-dev@incubator.apache.org Received: (qmail 26314 invoked by uid 99); 31 Oct 2013 19:17:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Oct 2013 19:17:33 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of noreply@sourceforge.net designates 216.34.181.60 as permitted sender) Received: from [216.34.181.60] (HELO smtp.ch3.sourceforge.com) (216.34.181.60) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Oct 2013 19:17:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.com; s=x; h=Date:References:In-Reply-To:Message-ID:Subject:Reply-To:From:To:MIME-Version:Content-Type; bh=1r/1PoM+wQFrZT5o61FMRExITsvxoEK6BvttLuA33lA=; b=tKTB2x/FinWMNY3RHWAuI3QdOt1cNKKBGGh7BaIkAn/pAbIyVMKHfHnK/ohsNIrPrXYzrR2Ec+9nF1d4CnSbb4OoosIUQOton658g9rSii++TeSbgON7DXTlY90Dh/w/ZBFGywUS4OH+bHE2pz5tWIivAP1NiaWdiHjY+lyR8aQ=; Received: from localhost ([127.0.0.1] helo=sfs-alluradaemon-3.v29.ch3.sourceforge.com) by sfs-alluradaemon-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Vbxjw-0007Lw-6S for allura-dev@incubator.apache.org; Thu, 31 Oct 2013 19:17:08 +0000 Content-Type: multipart/related; boundary="===============2382246877695870339==" MIME-Version: 1.0 To: "[allura:tickets] " <5475@tickets.allura.p.re.sf.net> From: "Dave Brondsema" Reply-To: "[allura:tickets] " <5475@tickets.allura.p.re.sf.net> Subject: [allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets Message-ID:

In-Reply-To: <50cf8e2d1be1ce5545da56b8.tickets@allura.p.sourceforge.net> References: <50cf8e2d1be1ce5545da56b8.tickets@allura.p.sourceforge.net> Date: Thu, 31 Oct 2013 19:17:08 +0000 X-Virus-Checked: Checked by ClamAV on apache.org --===============2382246877695870339== Content-Type: multipart/alternative; boundary="===============2464242375178218133==" MIME-Version: 1.0 --===============2464242375178218133== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit - **summary**: Provide non-javascript fallback behavior --> Move CSRF token insertion from JS to easywidgets - Description has changed: Diff: ~~~~ --- old +++ new @@ -1,3 +1,5 @@ -Site functions should continue to work with Javascript disabled. +Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. -Ref: [forge:site-support:#2017] +For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. + +AJAX forms can stay as-is, they use JS already anyway. ~~~~ --- ** [tickets:#5475] Move CSRF token insertion from JS to easywidgets** **Status:** open **Labels:** support p3 **Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen **Last Updated:** Wed Apr 24, 2013 01:18 PM UTC **Owner:** nobody Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. AJAX forms can stay as-is, they use JS already anyway. --- Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list. --===============2464242375178218133== MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit
  • summary: Provide non-javascript fallback behavior --> Move CSRF token insertion from JS to easywidgets
  • Description has changed:

Diff:

--- old
+++ new
@@ -1,3 +1,5 @@
-Site functions should continue to work with Javascript disabled.
+Standard forms across on Allura have a `_session_id` field inserted by JS.  AJAX forms insert it themselves.  This is for CSRF protection.

-Ref: [forge:site-support:#2017]
+For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side.  The `ForgeForm` class seems like a useful place to do this.  Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template.  A one-line macro seems like a good way to handle that.
+
+AJAX forms can stay as-is, they use JS already anyway.

[tickets:#5475] Move CSRF token insertion from JS to easywidgets

Status: open
Labels: support p3
Created: Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
Last Updated: Wed Apr 24, 2013 01:18 PM UTC
Owner: nobody

Standard forms across on Allura have a _session_id field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The ForgeForm class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.

AJAX forms can stay as-is, they use JS already anyway.

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

--===============2464242375178218133==-- --===============2382246877695870339==--