Opened 4 years ago
Closed 3 years ago
#1368 closed Enhancement (wontfix)
actions should be able to specify that they don't require an action token
| Reported by: | cash | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Elgg 1.7 |
| Component: | Core | Version: | 1.6 |
| Severity: | minor | Keywords: | |
| Cc: | brettp | Difficulty: |
Description
There is no need for csrf security for some actions such as logging out or downloading a file.
Change History (2)
comment:1 Changed 3 years ago by cash
- Type changed from unconfirmed defect to enhancement
comment:2 Changed 3 years ago by brettp
- Resolution set to wontfix
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
I'm leaning toward requiring action tokens for all actions. I can't think of any actions that wouldn't have enhanced security by requiring tokens.