#3796: remove _csrf_token from display URLs
-------------------------+------------------------------
Reporter: till | Owner: webmaster
Type: enhancement | Status: new
Priority: major | Milestone: HANDWAVY-FUTURE
Component: Web Content | Version:
Severity: Normal | Resolution:
Keywords: EasyFix | Blocked By:
Blocking: | Sensitive: 0
-------------------------+------------------------------
Changes (by toshio):
* keywords: => EasyFix
Comment:
We think this would be a good feature to add. It'll require modifying
every app individually as there isn't a site-wide template we can inject
it into. We'll also want to verify that the javascript works even if the
app is using a non-csrf-protecting plugin.
For implementation, I think we'd want to add this into a site-wide
javascript file and then in each application's base template add something
like:
<script type='text/javascript'
src='https://fedoraproject.org/static/js
/site-csrf-srip.js' />
marking this EasyFix as it's mostly checking out the source code for all
the TG1 and TG2 apps and adding that. The first one will need a little
coordination and testing:
* Making sure that the javascript doesn't cause errors when a non-csrf
identity provider is used (mirrormanager in particular is written to
support sites that just use the vanilla TG1 sqlobject identity provider).
* Adding the javascript file into the
fedoraproject.org/static/ directory.
if someone gets to this before me and needs help, feel free to ask for
help enabling these on #fedora-admin
--
Ticket URL: <
https://fedorahosted.org/fedora-infrastructure/ticket/3796#comment:1>
Fedora Infrastructure <
http://fedoraproject.org/wiki/Infrastructure>
Fedora Infrastructure Project for Bugs, feature requests and access to our source code.