As a user I'd like to be able to toggle CSRF with respect to Origin header being sent and firefox

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Answered
    • None
    • Component/s: None
    • None

      Problem Definition

      It turns out that certain actions like adding or removing a user from a group fail with a XSRF message when using Firefox 49.0.2 (the latest version at this time). Firefox is our choice browser because of the useful development add-ons.
      Unfortunately, Firefox does not send the "Origin" header.

      Suggested Solution

      A setting that allows the customer to turn this specific CSRF security feature on or off? e.g. "Check origin header? yes/no"

      Workaround

      (Optional)
      By using an add-on to inject the Origin header I was able to get it working, but this is a hack and if I forget to turn off the add-on, all websites I visit will get the domain I use for our Bitbucket instance as the origin header. Needless to say, I do not want to have my entire team using this hack.

            Assignee:
            Unassigned
            Reporter:
            Nate Hansberry (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: