Add ability to "opt out" of CsrfOptions.IMPLICIT

[chkal]

Issue by mvcbot
Sunday Oct 25, 2015 at 19:01 GMT
Originally opened as mvc-spec/mvc-spec#70

---

Original issue MVC_SPEC-58 created by kito75:

It'd be nice to opt out of implicit CSRF protection, maybe with an annotation like @CsrfValidDisabled,

[chkal]

Comment by chkal
Sunday Feb 11, 2018 at 12:43 GMT

---

I'm not completely sure if this is something we should support. Assigning to "Future" for now. Anyone feel free to comment if you disagree with this decision.

[erdlet]

Think this is something we should discuss together with #22.

[chkal]

Agreed. However, I still don't see a use case for disabling such an important security feature.

[erdlet]

Think we should close this, because of those two reasons:

• As @chkal mentioned, it is hardly to imagine a use-case that opens a vulnerability on purpose
• In case there is really a use-case that needs CSRF protection disabled for specific resources, you can achieve this with the combination of CsrfOptions.EXPLICIT and removing the @CsrfProtected annotation on this resource

Any other thoughts?

[chkal]

I agree that we should close this issue! 👍