[rules-dev] Guvnor XSRF attack?
Geoffrey De Smet
ge0ffrey.spam at gmail.com
Thu Mar 24 16:34:32 EDT 2011
I haven't seen it yet, firefox 3.6.15, mostly hosted mode.
Until we can reproduce it or at least understand why it's happening, I
propose:
- do not turn off XSRF protection on master
- turn off XSRF protection on the 5.2.0.x release branch (after it is
branched). To many reports to hope that our users won't suffer from it.
Once we understand why it's happening we can make an informed decision
to fix it or turn off the XSRF protection on master too.
Op 24-03-11 15:34, Michael Anstis schreef:
> So, realistically we can expect our users to notice the hick-up at
> some stage with 5.2.0 (or GWT2.1+ in reality).
>
> Should we consider an emergency game-plan should a fix not be found
> prior to release? e.g. Remove XSRF protection short-term. It doesn't
> leave Guvnor any more exposed than we were pre-GWT2.1). I've posted to
> GWT's forums but had no response as yet.
>
> Views anybody?
>
> Cheers,
>
> Mike
>
> On 24 March 2011 14:26, Tihomir Surdilovic <tsurdilo at redhat.com
> <mailto:tsurdilo at redhat.com>> wrote:
>
> On 3/23/11 4:34 PM, Michael Anstis wrote:
> > Has anybody experienced this in "Web" mode?
> Yes. When first reporting this I was running on JBoss AS 4.2.3.
>
> Thanks.
> _______________________________________________
> rules-dev mailing list
> rules-dev at lists.jboss.org <mailto:rules-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/rules-dev
>
>
>
> _______________________________________________
> rules-dev mailing list
> rules-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-dev
--
With kind regards,
Geoffrey De Smet
More information about the rules-dev
mailing list