[TYPO3-core] RFC #17184: Disable the CSRF protection in frontend mode
Helmut Hummel
helmut.hummel at typo3.org
Fri Jan 21 11:26:24 CET 2011
Hi Stefan,
Am 21.01.2011 02:24, schrieb Stefan Galinski:
> Type: Bugfix
>
> Bugtracker reference: http://bugs.typo3.org/view.php?id=17184
>
> Branches: trunk
>
> Problem:
> Currently we are missing a formprotection class that really works for the
> FE. This causes an exception if you are want to use ExtDirect in FE.
>
> Solution:
> Disable the CSRF protection in FE mode for ExtDirect calls.
I though about it, after our Skype chat yesterday.
I would suggest to add a generic formprotection class, which can be used
in both FE and BE context.
Then no changes are needed in the ExtJS parts and we could benefit of a
CSRF protection in frontend context also.
I will come up with a RFC, but it will not make it into the RC1, no time
sorry.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list