Merge pull request #4250 from daniel-beck/crumb-exclusion-javadoc

Note that CSRF crumbs aren't really needed anymore for API clients

Merge pull request #4250 from daniel-beck/crumb-exclusion-javadoc
Note that CSRF crumbs aren't really needed anymore for API clients
080bfca9 · Oleg Nenashev · GitHub · c8349abd · 974f7904 · 080bfca9
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

core/src/main/java/hudson/security/csrf/CrumbExclusion.java core/src/main/java/hudson/security/csrf/CrumbExclusion.java +4 -0

未找到文件。
--- a/core/src/main/java/hudson/security/csrf/CrumbExclusion.java
+++ b/core/src/main/java/hudson/security/csrf/CrumbExclusion.java
@@ -17,6 +17,10 @@ import java.io.IOException;
 /**
 * Allows plugins to define exceptions to the CSRF protection filter.
 *
+ * Please note that Jenkins 2.96 and newer accepts HTTP POST requests without CSRF crumb, if
+ * HTTP Basic authentication uses an API token instead of a password, so many use cases
+ * (simple API clients that support authentication but not obtaining a crumb) should be obsolete.
+ *
 * @author Kohsuke Kawaguchi
 * @since 1.446
 */