[Freeipa-devel] IPA Server UI Behind Proxy
Simo Sorce
simo at redhat.com
Mon Sep 2 12:38:51 UTC 2013
On Mon, 2013-09-02 at 14:31 +0800, Jan Pazdziora wrote:
> On Thu, Aug 15, 2013 at 04:27:53PM +0200, Petr Viktorin wrote:
> >
> > >Alternatively, how essential is this requirement for the referer
> > >header -- couldn't it be dropped, maybe via some config option?
> >
> > Without it, a malicious link/button on any webpage (or e-mail) could
> > do any action in IPA, if clicked by a logged-in admin.
>
> Could we change the CSRF protection method from the Referrer check to
> some user session specific token?
Where do you store it on the client side ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list