add csrf tokens to forms.
Bug #678401 reported by
dave b.
This bug report is a duplicate of:
Bug #560246: Launchpad requires the REFERER header on form submission breaking with noscript and other privacy/spam browser plugins.
Edit
Remove
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
New
|
Undecided
|
Unassigned |
Bug Description
So while checking the REFERER is ok in most situations. It may be possible spoof the REFERER.
If an attacker can spoof the REFERER they can can potentially post to a url like https:/
Really, csrf tokens should be added to forms.
[0] - https:/
[1] - http://
Specifically http:// www.cgisecurity .com/csrf- faq.html# referer seems relevant.