Please drop the necessity of HTTP referer

Asked by Martina Theuerjahr

Surely, the referer might help to hamper "Cross-site request forgery". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin board, indeed, but just a bulletin board and not a financial transaction tool.

Revision history for this message
David (d--) said :
#1

daveb suggests this article as an answer to your question:
FAQ #1024: “Why does Launchpad require a REFERER header?”.

Revision history for this message
David (d--) said :
#2

However, as noted in https://bugs.launchpad.net/bugs/560246, "Requiring a Referer header does not prevent CSRF".

Revision history for this message
Martina Theuerjahr (mat974) said :
#3

Thanks for your answer. This does not solve my problem (I knew the FAQ topic), but reactivating the discussion on the related bug #560246 hopefully will enhance the usability of the Launchpad for users with high privacy demands.

Revision history for this message
Dedeco (dedeco) said :
#4

I agree with Martina Theuerjahr . I think Launchpad loses contributors and several contributions for myself just for this simple "requirement".

1. It does not completely prevents the attack

2. It makes the usability VERY BAD because it may even discard our already submitted form data

Can you help with this problem?

Provide an answer of your own, or ask Martina Theuerjahr for more information if necessary.

To post a message you must log in.