Laura Creighton writes: > become all the more common in the future. Is insisting that the IP > addresses match serving a useful purpose?
Yes. Differing request origins is the characteristic signature of a CSRF attack.[1] I suppose the site could resolve the IP to a domain, but that would slow things down significantly. > Should we have a more informative error message? Footnotes: [1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
