© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
> Turn off referer for all other sites, turn it on for LP only.
That's not possible. Firefox has no preference for that. Other browsers are even in worse situations.
Fact is: The spec says the referer header is purely optional.
http://
Requiring it is, thus, a violation of the spec. Webapps *cannot* require Referer.
> Or, as has been said before, contribute a patch to implement the
> required protection in another fashion.
You haven't defined what exactly is "required" yet. Several people here have said that the check is not necessary for CSRF. You have only replied that the Referer check is necessary. Without high-level spec, there are no alternative implementations possible.
In my last comment, I have given an example how to implement CSRF without referer.