On Mon, Jul 29, 2013 at 4:03 PM, Warren Young <war...@etr-usa.com> wrote: > On 7/28/2013 13:47, Marc Simpson wrote: >> >> >> Output: "Cross-site request forgery attempt". > > > That's a browser-specific feature, not something Fossil does. It may > be that Fossil could work differently to avoid triggering this browser > security feature, but ultimately it's a false positive.
Please, don't mislead other people. CSRF is a Web vulnerability that Browsers can't prevent yet. So it is normally handled on the server side. Check Fossil's sources (src/login.c): /* ** Before using the results of a form, first call this routine to verify ** that this Anti-CSRF token is present and is valid. If the Anti-CSRF token ** is missing or is incorrect, that indicates a cross-site scripting attach ** so emits an error message and abort. */ void login_verify_csrf_secret(void){ if( g.okCsrf ) return; if( fossil_strcmp(P("csrf"), g.zCsrfToken)==0 ){ g.okCsrf = 1; return; } fossil_fatal("Cross-site request forgery attempt"); } Regards. -- Isaac Jurado "The noblest pleasure is the joy of understanding" Leonardo da Vinci _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users