On Mon, 2013-09-02 at 14:31 +0800, Jan Pazdziora wrote: > On Thu, Aug 15, 2013 at 04:27:53PM +0200, Petr Viktorin wrote: > > > > >Alternatively, how essential is this requirement for the referer > > >header -- couldn't it be dropped, maybe via some config option? > > > > Without it, a malicious link/button on any webpage (or e-mail) could > > do any action in IPA, if clicked by a logged-in admin. > > Could we change the CSRF protection method from the Referrer check to > some user session specific token?
Where do you store it on the client side ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
