max / makenotwork
1 file changed,
+8 insertions,
-8 deletions
| @@ -26,14 +26,14 @@ const REJECTED_BEFORE_CSRF_LAYER: &[&str] = &[ | |||
| 26 | 26 | // (populated empirically — see test output if this list is wrong) | |
| 27 | 27 | ]; | |
| 28 | 28 | ||
| 29 | - | /// Auto-posture paths with a known, tracked pre-auth CSRF gap (CHRONIC A′). | |
| 30 | - | /// | |
| 31 | - | /// Empty as of 2026-06-15: the gap is CLOSED. `validate_auto` no longer skips | |
| 32 | - | /// token validation for logged-out callers, and the posture-independent | |
| 33 | - | /// `origin_gate` (layered on the whole `CsrfRouter` tree in `finalize`) rejects | |
| 34 | - | /// positively cross-site mutations. If a new pre-auth gap is ever introduced, | |
| 35 | - | /// list it here with a justification and a tracking pointer. | |
| 36 | - | const KNOWN_PREAUTH_CSRF_GAPS: &[&str] = &[]; | |
| 29 | + | // CHRONIC A′ (the pre-auth CSRF gap) is CLOSED as of 2026-06-15: `validate_auto` | |
| 30 | + | // no longer skips token validation for logged-out callers, and the | |
| 31 | + | // posture-independent `origin_gate` (layered on the whole `CsrfRouter` tree in | |
| 32 | + | // `finalize`) rejects positively cross-site mutations. There is no longer a | |
| 33 | + | // tracked-gap allowlist; `forgot_password_rejects_preauth_tokenless_post` below | |
| 34 | + | // pins the fix. If a new pre-auth gap is ever knowingly accepted, reintroduce a | |
| 35 | + | // justified allowlist + a test that flips when it closes (see git history for | |
| 36 | + | // the prior `KNOWN_PREAUTH_CSRF_GAPS` forcing-function pattern). | |
| 37 | 37 | ||
| 38 | 38 | /// Core coverage assertion: every Auto-posture route rejects an authenticated | |
| 39 | 39 | /// request that carries no CSRF token. This catches a route that lost its auto |