This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSRF Guard 2.2 Roadmap"

From OWASP
Jump to: navigation, search
(Planned Changes)
Line 12: Line 12:
 
:# Allow the user to define "unprotected pages" that we will simply ignore. By default, all pages are "protected"
 
:# Allow the user to define "unprotected pages" that we will simply ignore. By default, all pages are "protected"
 
:# Modify the response handlers to only place the token in links/forms that point to our origin
 
:# Modify the response handlers to only place the token in links/forms that point to our origin
:# Update the Response Handlers to support the various locations that an "href" and "src" attribute can be placed in the HTML 5 spec
+
:# Update the response handlers to support the various locations that an "href" and "src" attribute can be placed in the HTML 5 spec
 +
:* Update the JavaScriptHandler to support the "embed" tag. Is there a better way to update the attributes where we don't need to know the tag name, like the HTMLParserHandler?
 
:# Rebuild the project in NetBeans and create jUnit test cases where applicable
 
:# Rebuild the project in NetBeans and create jUnit test cases where applicable
  

Revision as of 15:53, 13 December 2007

Overview

The purpose of this article is to maintain the desired change requests for the upcoming CSRFGuard releases. If there is a particular feature that you would like to see implemented, please feel free to add it to the appropriate sections below.

Planned Changes

The following is a list of changes that are tentatively scheduled for the J2EE CSRFGuard 2.2 release:

  1. Port the existing configuration file to an XML based config file
  2. Allow the user to define a list of "known safe extensions" that do not require CSRF checks
  3. Allow the user to define "entry point pages" whose token is never validated but a token always gets inserted
  4. Allow the user to define "unprotected pages" that we will simply ignore. By default, all pages are "protected"
  5. Modify the response handlers to only place the token in links/forms that point to our origin
  6. Update the response handlers to support the various locations that an "href" and "src" attribute can be placed in the HTML 5 spec
  • Update the JavaScriptHandler to support the "embed" tag. Is there a better way to update the attributes where we don't need to know the tag name, like the HTMLParserHandler?
  1. Rebuild the project in NetBeans and create jUnit test cases where applicable

Deferred Changes

The following is a list of changes that were suggested but not implemented:

TBD

Changes Under Consideration

The following is a list of change requests that are still under consideration:

TBD