Ubuntu
xorg package

Please drop the necessity of HTTP referer

Asked by Martina Theuerjahr

Surely, the referer might help to hamper "Cross-site request forgery". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin board, indeed, but just a bulletin board and not a financial transaction tool.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu xorg Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
David (d--) said : 		#1

daveb suggests this article as an answer to your question:
FAQ #1024: “Why does Launchpad require a REFERER header?”.

Revision history for this message
David (d--) said : 		#2

However, as noted in https://bugs.launchpad.net/bugs/560246, "Requiring a Referer header does not prevent CSRF".

Revision history for this message
Martina Theuerjahr (mat974) said : 		#3

Thanks for your answer. This does not solve my problem (I knew the FAQ topic), but reactivating the discussion on the related bug #560246 hopefully will enhance the usability of the Launchpad for users with high privacy demands.

Revision history for this message
Dedeco (dedeco) said : 		#4

I agree with Martina Theuerjahr . I think Launchpad loses contributors and several contributions for myself just for this simple "requirement".

1. It does not completely prevents the attack

2. It makes the usability VERY BAD because it may even discard our already submitted form data

Revision history for this message
Leonard Riggs (leo-riggs) said : 		#5

Unbelievable. If you think requiring HTTP Referer header addresses security concerns, you should not be a programmer! And by requiring such crap, you are pushing away the very sort of customer base who gravitates to FOSS, namely, people who know about computers and who care about privacy. It's simply embarrassing. By doing this, the developers show they are unqualified.

Can you help with this problem?

Provide an answer of your own, or ask Martina Theuerjahr for more information if necessary.

To post a message you must log in.