[Freeipa-devel] IPA Server UI Behind Proxy
Jan Pazdziora
jpazdziora at redhat.com
Mon Sep 2 06:31:54 UTC 2013
On Thu, Aug 15, 2013 at 04:27:53PM +0200, Petr Viktorin wrote:
>
> >Alternatively, how essential is this requirement for the referer
> >header -- couldn't it be dropped, maybe via some config option?
>
> Without it, a malicious link/button on any webpage (or e-mail) could
> do any action in IPA, if clicked by a logged-in admin.
Could we change the CSRF protection method from the Referrer check to
some user session specific token?
--
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list