Mercurial Repository: p/roundup/code: doc/upgrading.txt comparison

comparison doc/upgrading.txt @ 5212:d4cc71beb102

Added support for SameSite cookie option for CSRF prevention This was an easy addon compared to the complexity of the CSRF nonce support. It only works in chromium browsers (Chrome, Opera...) at the moment. But there is recent activity on implementing it in firefox. Who know when edge/ie will adopt it. So csrf nonce and header analysis will be needed for a while.

author	John Rouillard <rouilj@ieee.org>
date	Sun, 19 Mar 2017 19:01:41 -0400
parents	a9ace22e0a2f
children	64ae2108df60

comparison

equal deleted inserted replaced

-:f4b6a2a3e605
+:d4cc71beb102
 missing.
 It is suggested that you change your templates so every form
 has an @csrf field and change the setting to 'required' for
 the csrf_enforce_token.
+Support for SameSite cookie option for session cookie
+-----------------------------------------------------
+Support for serving the session cookie using the SameSite cookie option
+has been added. By default it is set to lax to provide a better user
+experience. But this can be changes to strict or the option can be
+removed entirely.
+Using the process for merging config.ini changes described in
+`Cross Site Request Forgery Detection Added`_ you can add the
+``samesite_cookie_setting`` to the ``[web]`` section of the config
+file.
 Fix for path traversal changes template resolution
 --------------------------------------------------
 The templates in the tracker's html subdirectory must not be

Mercurial > p > roundup > code

comparison doc/upgrading.txt @ 5212:d4cc71beb102