Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 448417

Summary: Disable XSRF filter by default
Product: [ECD] Orion Reporter: John Arthorne <john.arthorne>
Component: ServerAssignee: John Arthorne <john.arthorne>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: mamacdon, matthias.sohn
Version: unspecified   
Target Milestone: 7.0   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description John Arthorne CLA 2014-10-22 15:45:25 EDT 
We have hit a number of problems with the new XSRF protection filter. Because it is late in the release cycle and we don't know how this might impact other adopters, we should change this to be off by default, and adopters can turn it on at their own discretion. We could revisit the default value in a future release once we become more comfortable with it and can understand the impact on clients/adopters.
Comment 1 John Arthorne CLA 2014-10-23 11:41:46 EDT 
Released this fix. Mark can you verify and can you think of anything I missed here.

http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=110786cd85c193e1acd893f88e70610db2ddfddd
Comment 2 Matthias Sohn CLA 2014-10-25 08:06:41 EDT 
+1 for changing the default until the impact of XSRF protection is better understood
Comment 3 Mark Macdonald CLA 2014-10-25 10:32:59 EDT 
Fix looks good, marking this bug RESOLVED.

I added some docs about the XSRF filter option to the server admin guide: https://wiki.eclipse.org/Orion/Server_admin_guide#Protecting_against_cross-site_request_forgery_.28XSRF.29