Hi! Am 30.06.2012 01:36, schrieb Florian Hülsmann: > Would it be possible to do CSRF protection without requiring the browser > to send the referer header??
Yes, it is possible. The general approaches center around the concept of transmitting a token value in a hidden form field. The token cannot be predicted by an attacker. It is also necessary. There are quite some scenarios that mangle the Referer header, such as privacy addons, anti-virus software, proxy servers, or HTTPS trickeries. My personal favorite example is a referer sent as "blockeriert by Norton $something" which showed up regularly in my website logs in the past. cu, Sven _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
