geoffreydudragne
commented
9 years ago Actually this link will work in the case you have to login first, because the login page will will deep link it and add a correct nonce (of course, it's not a very satisfying situation but at least this scenario works).
I tried to change it myself for the GET requests, but unfortunately even with a thorough investigation I couldn't find any easy fix, because the current solution was custom implemented (probably before the official Spring support for CSRF protections) and the change would now require some non trivial front-end refactoring. I hope Denim Group will take care of it some day.
The URL to view finding details such as: http://localhost:8080/threadfix/organizations/1/applications/1/vulnerabilities/61?nonce=56CEBDB49640144F530AA9A1B13A9944
doesn't work without the nonce parameter. We would like to link to ThreadFix findings from an external tool, but since the nonce is required, this doesn't work.
Would it be possible to remove the nonce for GET requests in general to make linking possible?