© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Robert, that doesn't matter. Requiring referer is not an option on the web, because the HTTP spec not only says that it's optional, but specifically warns about privacy problems it causes.
See http://
Quote from the HTTP spec:
"
Because the source of a link might be private information or might reveal an otherwise
private information source, it is strongly recommended that the user be able to
select whether or not the Referer field is sent. For example, a browser client could
have a toggle switch for browsing openly/anonymously, which would respectively
enable/disable the sending of Referer and From information.
"
So, you're saying I can only contribute to Ubuntu when I give up my privacy? I hope not. But that's currently the choice I have.
---
This implements a CSRF without relying on referers:
https:/
HTH