On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote:
Until July of this year, checking the Referer was thought to be a
pretty
good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.
Unfortunately, Amit Klein published some research in July that
demonstrated how to do this with Flash. So, if your users use clients
that support Flash (which most do), this is not a good safeguard.
Do you have a link to that?
A friend was having issues with flash & referrers recently. I think
everyone but safari may have stripped it out.
