Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Normal
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 2020-04-27
-
Labels:None
Description
External websites can construct POST requests that submit data to user/admin forms on musicbrainz.org. If the user is logged in on MusicBrainz, these requests will be processed if the fields validate.
This would theoretically be mitigated by browsers moving to a non-permissive SameSite=Lax by default, but this also breaks release editor seeding (MBS-10717).
We should add CSRF tokens to any forms that can modify user data or administrate the site.