Page MenuHomePhabricator

If a user does not have cookies enabled, they need to be told to have cookies enabled to use the credit card form
Open, MediumPublicFeature


Users need cookies enabled for session handling on the credit card form to prevent CSRF. At the moment, depending on the particular form the user sees, they can either be entered into an infinite loop of the credit card form refreshing -or- they can still transparently go through the process, although it is a security vulnerability

Version: unspecified
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:12 PM
bzimport set Reference to bz25622.

What was the trick again (apart from deleting cookies) to get the donation banners displayed again? Adding some parameter to the URL, I assume? Or is that documented somewhere for testers?
Would love to check if this is still a problem nowadays.

mwalker wrote:

There's two 'tricks' if you will. One is adding &reset=1 (and possibly &banner= a banner name from CN if there's no banners currently being run). The other is to delete the 'centralnotice_fundraising' cookie if it exists (this sets the hide flag which will stop CN from even requesting a banner).

Awjrichards set Security to None.
Awjrichards removed a subscriber: Tfinc.
Awjrichards removed a subscriber: Awjrichards.
Aklapper added a subscriber: Aklapper.

Didn't e35494d6934d973e2ab32dcf270af0234a5f906b fix this?
If not, where can a contributor see the "credit card form" to test this?

Removing good first task tag for the time being; feel free to re-add once more info has been provided for a contributor.

Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 12:24 PM