Please drop the necessity of HTTP referer

Asked by Martina Theuerjahr on 2011-04-09

Surely, the referer might help to hamper "Cross-site request forgery". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin board, indeed, but just a bulletin board and not a financial transaction tool.

David (d--) said : #1

daveb suggests this article as an answer to your question:
FAQ #1024: “Why does Launchpad require a REFERER header?”.

David (d--) said : #2

However, as noted in, "Requiring a Referer header does not prevent CSRF".

Martina Theuerjahr (mat974) said : #3

Thanks for your answer. This does not solve my problem (I knew the FAQ topic), but reactivating the discussion on the related bug #560246 hopefully will enhance the usability of the Launchpad for users with high privacy demands.

Dedeco (dedeco) said : #4

I agree with Martina Theuerjahr . I think Launchpad loses contributors and several contributions for myself just for this simple "requirement".

1. It does not completely prevents the attack

2. It makes the usability VERY BAD because it may even discard our already submitted form data

Can you help with this problem?

Provide an answer of your own, or ask Martina Theuerjahr for more information if necessary.

To post a message you must log in.