Alon Bar-Lev has posted comments on this change. Change subject: restapi: Add CSRF protection filter ......................................................................
Patch Set 2: Hello Vojtech, > Simple netmask could be enough for some users, but having "isTrusted" > function is far more flexible For Infra espect, we are working toward a formal api for extensions api for engine[1], probably will be merged this week. There is no reason to introduce competing mechanism at this point. Also as I wrote, I do think that simple netmask solution should be provided in any case and having logic is just for advanced users. Most people should not write code for customization of trivial tasks, per what I understand exceptions in this case are insecure so there is no reason for disable this protection in production, so I do not actually understand the need for flexible customization. For packaging side, if we do go this route, the location of the script should be specified by user, hence specify a value for RESTAPI_CSRF_TRUST_SCRIPT is incorrect, also for following our conventions we should support multiple scripts so that sysadmin can add one or more "logics" easily. Finally, using header name JSESSIONID is not something I would like to see, ovirt specify headers should be X-OVIRT- or any similar unique prefixed. Thanks, [1] http://gerrit.ovirt.org/#/c/26435/ -- To view, visit http://gerrit.ovirt.org/26578 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I68f03eeefe5bcb1956036b4a80fef4400c467346 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Barak Azulay <[email protected]> Gerrit-Reviewer: Itamar Heim <[email protected]> Gerrit-Reviewer: Juan Hernandez <[email protected]> Gerrit-Reviewer: Michael Pasternak <[email protected]> Gerrit-Reviewer: Sandro Bonazzola <[email protected]> Gerrit-Reviewer: Vojtech Szocs <[email protected]> Gerrit-Reviewer: Yair Zaslavsky <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: No _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
