https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407
--- Comment #11 from David Cook <[email protected]> --- At a glance, this should work, but... conventional wisdom is that HTTP Referer/document.referrer shouldn't be used for security. This feels like a workaround. That said, at the moment, I can't see a particular technical flaw in it. In the context that document.referrer is being used... I can't see a way it could be manipulated to trigger this form submit (other than XSS but that's an issue for token based anti-CSRF too). I thought Javascript could manipulate the Referer for AJAX requests, but the Internet tells me that's not the case. So yeah... I think this is OK, but I don't like it. So I won't Fail QA, but I'm not going to Pass QA either. A different QAer may feel differently. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
