On Thu, Aug 15, 2013 at 04:27:53PM +0200, Petr Viktorin wrote: > > >Alternatively, how essential is this requirement for the referer > >header -- couldn't it be dropped, maybe via some config option? > > Without it, a malicious link/button on any webpage (or e-mail) could > do any action in IPA, if clicked by a logged-in admin.
Could we change the CSRF protection method from the Referrer check to some user session specific token? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
