It seems that there is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well. I have searched the documentation and also did quite a bit of Googling but have not seen any references to this. Is this known and/or intended behavior?
The attached file should demonstrate the (elementary) attack. Thanks In advance, P
