This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CSRF Guard 2.2 Roadmap"
From OWASP
(→Planned Changes) |
|||
| Line 12: | Line 12: | ||
:# Allow the user to define "unprotected pages" that we will simply ignore. By default, all pages are "protected" | :# Allow the user to define "unprotected pages" that we will simply ignore. By default, all pages are "protected" | ||
:# Modify the response handlers to only place the token in links/forms that point to our origin | :# Modify the response handlers to only place the token in links/forms that point to our origin | ||
| − | :# Update the | + | :# Update the response handlers to support the various locations that an "href" and "src" attribute can be placed in the HTML 5 spec |
| + | :* Update the JavaScriptHandler to support the "embed" tag. Is there a better way to update the attributes where we don't need to know the tag name, like the HTMLParserHandler? | ||
:# Rebuild the project in NetBeans and create jUnit test cases where applicable | :# Rebuild the project in NetBeans and create jUnit test cases where applicable | ||
Revision as of 15:53, 13 December 2007
Overview
The purpose of this article is to maintain the desired change requests for the upcoming CSRFGuard releases. If there is a particular feature that you would like to see implemented, please feel free to add it to the appropriate sections below.
Planned Changes
The following is a list of changes that are tentatively scheduled for the J2EE CSRFGuard 2.2 release:
- Port the existing configuration file to an XML based config file
- Allow the user to define a list of "known safe extensions" that do not require CSRF checks
- Allow the user to define "entry point pages" whose token is never validated but a token always gets inserted
- Allow the user to define "unprotected pages" that we will simply ignore. By default, all pages are "protected"
- Modify the response handlers to only place the token in links/forms that point to our origin
- Update the response handlers to support the various locations that an "href" and "src" attribute can be placed in the HTML 5 spec
- Update the JavaScriptHandler to support the "embed" tag. Is there a better way to update the attributes where we don't need to know the tag name, like the HTMLParserHandler?
- Rebuild the project in NetBeans and create jUnit test cases where applicable
Deferred Changes
The following is a list of changes that were suggested but not implemented:
TBD
Changes Under Consideration
The following is a list of change requests that are still under consideration:
TBD
