Tristan: C1 probably. There is plenty an attacker can do if they have access to someone's browser history, and as already pointed out they would need to exploit it before the session validity expires (10 minutes by default). This falls squarely in the realm of impracticality.
I recommend we switch this to a normal bug report on Monday unless there are objections to the contrary before then.
Tristan: C1 probably. There is plenty an attacker can do if they have access to someone's browser history, and as already pointed out they would need to exploit it before the session validity expires (10 minutes by default). This falls squarely in the realm of impracticality.
I recommend we switch this to a normal bug report on Monday unless there are objections to the contrary before then.