Item2156: Update the CSRF 'suspicion' message
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
It is suggested that we update the CSRF "suspicion" message to indicate that javascript is required.
--
IngoKappler
I updated
WhyYouAreAskedToConfirm, which is referred to from the templates that generate the dialog if i'm not mistaken. We might want to add the javascript suggestion to the validation.tmpl itself as well. If no-one objects, I will do so.
--
KoenMartens - 25 Sep 2009
This can even go into
<noscript>
tags so that it is only shown when no javascript is on.
--
ArthurClemens - 25 Sep 2009
I've seen the
WhyYouAreAskedToConfirm related error message several times in our intranet based wiki and I am pretty sure no one tries to attack. So I found that I most likely triggered it by starting an edit session, then leaving it via the back button and re-entering it later on maybe even via another tab.
What I want to say is that this "...can sometimes be triggered when you do something perfectly innocent." may not be that innocent but "stupid" and "general" end user behaviour. Shouldn't this reaction also be addressed in
WhyYouAreAskedToConfirm, so users can read about it instead of wondering what they did wrong?
--
IngoKappler - 25 Sep 2009
This has been implemented, first revision on 18 Nov 2009. The javascript note is at the bottom.
--
ArthurClemens - 22 Jan 2011