Mercurial > p > roundup > code

diff CHANGES.txt @ 5212:d4cc71beb102

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added support for SameSite cookie option for CSRF prevention This was an easy addon compared to the complexity of the CSRF nonce support. It only works in chromium browsers (Chrome, Opera...) at the moment. But there is recent activity on implementing it in firefox. Who know when edge/ie will adopt it. So csrf nonce and header analysis will be needed for a while.
author John Rouillard <rouilj@ieee.org>
date Sun, 19 Mar 2017 19:01:41 -0400
parents a9ace22e0a2f
children 9bf221cebef3
line wrap: on
line diff
--- a/CHANGES.txt	Sun Mar 19 17:10:13 2017 -0400
+++ b/CHANGES.txt	Sun Mar 19 19:01:41 2017 -0400
@@ -188,6 +188,10 @@
   Requiring enforcement will need some changes to
   templates. Support for protecting xmlrpc endpoint not well
   tested.  See ``upgrading.txt``. (John Rouillard)
+- Added support for using the SameSite cookie option on the
+  session cookie. Default is lax, but there is a settable
+  option in config.ini file to change to strict or
+  suppress it entirely. See ``upgrading.txt``. (John Rouillard)
 
 Fixed:
Roundup Issue Tracker: http://roundup-tracker.org/