Yes, you need to have a valid Referer: header in the request since 2.4.41 - this is a deliberate security feature to prevent XSS/XSRF attacks. So I don't see a bug here.
Yes, you need to have a valid Referer: header in the request since 2.4.41 - this is a deliberate security feature to prevent XSS/XSRF attacks. So I don't see a bug here.