Question #152211 “Please drop the necessity of HTTP referer” : Questions : xorg package : Ubuntu

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <base href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+index" /> <meta charset="UTF-8" /> <title>Question #152211 “Please drop the necessity of HTTP referer” : Questions : xorg package : Ubuntu</title> <link rel="apple-touch-icon" sizes="180x180" href="/@@/apple-touch-icon.png?v=2022" /> <link rel="icon" type="image/png" sizes="32x32" href="/@@/favicon-32x32.png?v=2022" /> <link rel="icon" type="image/png" sizes="16x16" href="/@@/favicon-16x16.png?v=2022" /> <link rel="manifest" href="/@@/site.webmanifest?v=2022" /> <link rel="mask-icon" href="/@@/safari-pinned-tab.svg?v=2022" color="#e9531f" /> <link rel="shortcut icon" href="/@@/favicon.ico?v=2022" /> <meta name="msapplication-TileColor" content="#da532c" /> <meta name="msapplication-config" content="/@@/browserconfig.xml?v=2022" /> <meta name="theme-color" content="#ffffff" /> <link type="text/css" rel="stylesheet" media="screen, print" href="/+icing/rev22ade00ab50b929fac63b8ee7252243aceda294a/combo.css" /> <meta name="description" content="Surely, the referer might help to hamper "Cross-site request forgery". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin ..." /> <meta property="og:description" content="Surely, the referer might help to hamper "Cross-site request forgery". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin ..." /> <meta property="og:title" content="Question #152211 “Please drop the necessity of HTTP referer” : Questions : xorg package : Ubuntu" /> <meta property="og:type" content="website" /> <meta property="og:image" content="/@@/launchpad-og-image.png" /> <meta property="og:url" content="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+index" /> <meta property="og:site_name" content="Launchpad" /> <script type="text/javascript"> var LP = { cache: {}, links: {} }; </script> <script type="text/javascript">var cookie_scope = '; Path=/; Secure; Domain=.launchpad.net';</script> <script type="text/javascript" src="/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?yui/yui/yui-min.js&lp/meta.js&yui/loader/loader-min.js"></script> <script type="text/javascript"> var raw = null; if (LP.devmode) { raw = 'raw'; } YUI.GlobalConfig = { combine: true, comboBase: '/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?', root: 'yui/', filter: raw, debug: false, fetchCSS: false, maxURLLength: 2000, groups: { lp: { combine: true, base: '/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?lp/', comboBase: '/+combo/rev22ade00ab50b929fac63b8ee7252243aceda294a/?', root: 'lp/', // comes from including lp/meta.js modules: LP_MODULES, fetchCSS: false } } }</script> <script type="text/javascript"> // we need this to create a single YUI instance all events and code // talks across. All instances of YUI().use should be based off of // LPJS instead. var LPJS = new YUI(); </script> <script id="base-layout-load-scripts" type="text/javascript"> //<![CDATA[ LPJS.use('base', 'node', 'console', 'event', 'oop', 'lp', 'lp.app.foldables','lp.app.sorttable', 'lp.app.inlinehelp', 'lp.app.links', 'lp.bugs.bugtask_index', 'lp.bugs.subscribers', 'lp.app.ellipsis', 'lp.code.branchmergeproposal.diff', 'lp.views.global', function(Y) { Y.on("domready", function () { var global_view = new Y.lp.views.Global(); global_view.render(); Y.lp.app.sorttable.SortTable.init(); Y.lp.app.inlinehelp.init_help(); Y.lp.activate_collapsibles(); Y.lp.app.foldables.activate(); Y.lp.app.links.check_valid_lp_links(); }); Y.on('lp:context:web_link:changed', function(e) { window.location = e.new_value; }); }); //]]> </script> <script id="base-helper-functions" type="text/javascript"> //<![CDATA[ // This code is pulled from lp.js that needs to be available on every // request. Pulling here to get it outside the scope of the YUI block. function setFocusByName(name) { // Focus the first element matching the given name which can be focused. var nodes = document.getElementsByName(name); var i, node; for (i = 0; i < nodes.length; i++) { node = nodes[i]; if (node.focus) { try { // Trying to focus a hidden element throws an error in IE8. if (node.offsetHeight !== 0) { node.focus(); } } catch (e) { LPJS.use('console', function(Y) { Y.log('In setFocusByName(<' + node.tagName + ' type=' + node.type + '>): ' + e); }); } break; } } } function selectWidget(widget_name, event) { if (event && (event.keyCode === 9 || event.keyCode === 13)) { // Avoid firing if user is tabbing through or simply pressing // enter to submit the form. return; } document.getElementById(widget_name).checked = true; } //]]> </script> <style type="text/css" media="screen"> div.confirmBox { margin: 0; padding-right: 0.5em; padding-bottom: 0.5em; text-align: right; } </style> <script type="text/javascript"> LPJS.use('base', 'node', 'event', 'lp.app.comment', 'lp.answers.subscribers', 'lp.services.messages.edit', function(Y) { Y.on('domready', function() { LP.cache.comment_context = LP.cache.context; var first_comment = Y.one('.boardComment'); if (first_comment !== null) { var cl = new Y.lp.app.comment.CommentList({ comment_list_container: first_comment.get('parentNode') }); cl.render(); } new Y.lp.answers.subscribers.createQuestionSubscribersLoader(); Y.lp.services.messages.edit.setup(); }); }); </script> </head> <body id="document" itemscope="" itemtype="http://schema.org/WebPage" class="tab-answers main_side public yui3-skin-sam"> <div class="yui-d0"> <div id="locationbar" class="login-logout"> <div id="logincontrol"><a href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+login">Log in / Register</a></div> </div> <div id="watermark" class="watermark-apps-portlet"> <div> <a href="https://launchpad.net/ubuntu"><img alt="" width="64" height="64" src="https://launchpadlibrarian.net/606381979/CoF%2064px.png" /></a> </div> <div class="wide"> <h2 id="watermark-heading"><a href="https://launchpad.net/ubuntu">Ubuntu</a><br /><a href="https://launchpad.net/ubuntu/+source/xorg">xorg package</a></h2> </div>  <ul class="facetmenu"> <li class="overview"><a href="https://launchpad.net/ubuntu/+source/xorg">Overview</a></li> <li class="branches"><a href="https://code.launchpad.net/ubuntu/+source/xorg">Code</a></li> <li class="bugs"><a href="https://bugs.launchpad.net/ubuntu/+source/xorg">Bugs</a></li> <li class="specifications disabled-tab"><span>Blueprints</span></li> <li class="translations"><a href="https://translations.launchpad.net/ubuntu/+source/xorg">Translations</a></li> <li class="answers active"><a href="https://answers.launchpad.net/ubuntu/+source/xorg">Answers</a></li> </ul> </div> <div class="yui-t4"> <div id="maincontent" class="yui-main"> <div class="yui-b" dir="ltr" lang="en" xml:lang="en"> <div class="context-publication"> <h1>Please drop the necessity of HTTP referer</h1> <div id="registration" class="registering"> Asked by <a href="https://launchpad.net/~mat974" class="sprite person">Martina Theuerjahr</a> <time title="2011-04-09 11:36:11 UTC" datetime="2011-04-09T11:36:11.106126+00:00">on 2011-04-09</time> </div> </div> <div id="request-notifications"> </div> <div> <div class="report"><p>Surely, the referer might help to hamper "Cross-site request forgery". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin board, indeed, but just a bulletin board and not a financial transaction tool.</p></div> <div class="portlet"> <h2>Question information</h2> <div class="yui-g"> <div class="yui-u first"> <div id="portlet-details" xml:lang="en" lang="en" dir="ltr"> <div class="two-column-list"> <dl id="question-lang"> <dt>Language:</dt> <dd> English <a class="menu-link-edit sprite edit action-icon" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+edit">Edit question</a> </dd> </dl> <dl id="question-status"> <dt>Status:</dt> <dd> <span class="questionstatusANSWERED">Answered</span> </dd> </dl> <dl> <dt>For:</dt> <dd> <a href="https://launchpad.net/ubuntu" class="bg-image" style="background-image: url(https://launchpadlibrarian.net/606381978/CoF%2014px.png)">Ubuntu</a> <a href="/ubuntu/+source/xorg">xorg</a> <a class="menu-link-edit sprite edit action-icon" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+edit">Edit question</a> </dd> </dl> <dl> <dt>Assignee:</dt> <dd> No assignee <a class="menu-link-edit sprite edit action-icon" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+edit">Edit question</a> </dd> </dl> <dl style="clear: both;"> <dt>Last query:</dt> <dd> <time title="2011-04-09 11:36:11 UTC" datetime="2011-04-09T11:36:11.106126+00:00">2011-04-09</time> </dd> </dl> <dl> <dt>Last reply:</dt> <dd> <time title="2011-04-10 04:06:09 UTC" datetime="2011-04-10T04:06:09.510752+00:00">2011-04-10</time> </dd> </dl> </div> </div> </div> <div class="yui-u"> <div id="related-bugs"> <h3>Related bugs</h3> <ul> <li> <a class="sprite bug" href="https://bugs.launchpad.net/bugs/560246">Bug #560246: Launchpad requires the REFERER header on form submission breaking with noscript and other privacy/spam browser plugins</a> </li> </ul> </div> <ul class="horizontal"> <li><a class="menu-link-linkbug sprite add" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+linkbug">Link existing bug</a></li> <li><a class="menu-link-unlinkbug sprite modify remove" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+unlinkbug">Remove bug link</a></li> </ul> <div id="related-faq" style="margin-top: 1em;"> <h3>Related FAQ:</h3> <p> <a class="sprite faq" href="/launchpad/+faq/1024">Why does Launchpad require a Referer header?</a> <a class="menu-link-linkfaq sprite edit action-icon" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+linkfaq" title="Link this question to a FAQ.">Link to a FAQ</a> </p> </div> </div> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/ubuntu/+source/xorg/+question/152211/messages/1" data-i-can-edit="False" id="comment-0"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~d--" class="sprite person">David (d--)</a> said <time itemprop="commentTime" datetime="2011-04-10T04:06:09.510752+00:00" title="2011-04-10 04:06:09 UTC">on 2011-04-10</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #1</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>daveb suggests this article as an answer to your question:<br /> <a href="https://answers.launchpad.net/launchpad/+faq/1024">FAQ #1024</a>: “Why does Launchpad require a REFERER header?”.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">daveb suggests this article as an answer to your question: FAQ #1024: “Why does Launchpad require a REFERER header?”.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/ubuntu/+source/xorg/+question/152211/messages/2" data-i-can-edit="False" id="comment-1"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~d--" class="sprite person">David (d--)</a> said <time itemprop="commentTime" datetime="2011-04-10T04:08:16.949407+00:00" title="2011-04-10 04:08:16 UTC">on 2011-04-10</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #2</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>However, as noted in <a rel="nofollow" href="https://bugs.launchpad.net/bugs/560246">https:/<wbr />/bugs.launchpad<wbr />.net/bugs/<wbr />560246</a>, "Requiring a Referer header does not prevent CSRF".</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">However, as noted in https://bugs.launchpad.net/bugs/560246, "Requiring a Referer header does not prevent CSRF". </textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/ubuntu/+source/xorg/+question/152211/messages/3" data-i-can-edit="False" id="comment-2"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~mat974" class="sprite person">Martina Theuerjahr (mat974)</a> said <time itemprop="commentTime" datetime="2011-04-10T12:23:58.728682+00:00" title="2011-04-10 12:23:58 UTC">on 2011-04-10</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #3</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Thanks for your answer. This does not solve my problem (I knew the FAQ topic), but reactivating the discussion on the related <a href="/bugs/560246" class="bug-link">bug #560246</a> hopefully will enhance the usability of the Launchpad for users with high privacy demands.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Thanks for your answer. This does not solve my problem (I knew the FAQ topic), but reactivating the discussion on the related bug #560246 hopefully will enhance the usability of the Launchpad for users with high privacy demands.</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/ubuntu/+source/xorg/+question/152211/messages/4" data-i-can-edit="False" id="comment-3"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~dedeco" class="sprite person">Dedeco (dedeco)</a> said <time itemprop="commentTime" datetime="2015-10-16T11:42:53.817507+00:00" title="2015-10-16 11:42:53 UTC">on 2015-10-16</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #4</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>I agree with Martina Theuerjahr . I think Launchpad loses contributors and several contributions for myself just for this simple "requirement".</p> <p>1. It does not completely prevents the attack</p> <p>2. It makes the usability VERY BAD because it may even discard our already submitted form data</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">I agree with Martina Theuerjahr . I think Launchpad loses contributors and several contributions for myself just for this simple "requirement". 1. It does not completely prevents the attack 2. It makes the usability VERY BAD because it may even discard our already submitted form data</textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div itemscope="" itemtype="http://schema.org/UserComments" class="boardComment editable-message" data-baseurl="/ubuntu/+source/xorg/+question/152211/messages/5" data-i-can-edit="False" id="comment-4"> <div class="boardCommentDetails"> <table> <tbody> <tr> <td> <div class="message-revision-container"> <div class="message-revision-container-header"> <span>Revision history for this message</span> <img src="/+icing/build/overlay/assets/skins/sam/images/close.gif" class="message-revision-close" /> </div> <script type="text/template"> <div class='message-revision-item'> <div class='message-revision-title'> <a class="sprite remove action-icon message-revision-del-btn"> Remove </a> <a class="js-action"> Revision #{revision}, created at {date_created_display} </a> </div> <div class='message-revision-body'>{content}</div> </div> </script> <div class="message-revision-list"></div> </div> <a href="https://launchpad.net/~leo-riggs" class="sprite person">Leonard Riggs (leo-riggs)</a> said <time itemprop="commentTime" datetime="2023-01-02T17:21:07.388181+00:00" title="2023-01-02 17:21:07 UTC">on 2023-01-02</time><span class="editable-message-last-edit-date">: </span> </td> <td> </td> <td> </td> <td class="bug-comment-index"> <a> #5</a> </td> </tr></tbody></table> </div> <div class="editable-message-body"> <div class="boardCommentBody editable-message-text" itemprop="commentText"><p>Unbelievable. If you think requiring HTTP Referer header addresses security concerns, you should not be a programmer! And by requiring such crap, you are pushing away the very sort of customer base who gravitates to FOSS, namely, people who know about computers and who care about privacy. It's simply embarrassing. By doing this, the developers show they are unqualified.</p></div> </div> <div class="editable-message-form" style="display: none"> <textarea style="width: 100%" rows="10">Unbelievable. If you think requiring HTTP Referer header addresses security concerns, you should not be a programmer! And by requiring such crap, you are pushing away the very sort of customer base who gravitates to FOSS, namely, people who know about computers and who care about privacy. It's simply embarrassing. By doing this, the developers show they are unqualified. </textarea> <input type="button" value="Update" class="editable-message-update-btn" /> <input type="button" value="Cancel" class="editable-message-cancel-btn" /> </div> </div> <div id="question" dir="en" lang="en" xml:lang="en"> <div id="can-you-help-with-this-problem"> <h2> Can you help with this problem? </h2> <p> Provide an answer of your own, or ask Martina Theuerjahr for more information if necessary. </p> </div> <div class="yui-g"> <ul class="horizontal" id="horizontal-menu"> <li><a class="menu-link-history sprite list" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+history">History</a></li> <li><a class="menu-link-linkbug sprite add" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+linkbug">Link existing bug</a></li> <li><a class="menu-link-linkfaq sprite modify edit" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+linkfaq" title="Link this question to a FAQ.">Link to a FAQ</a></li> <li><a class="menu-link-createfaq sprite add" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+createfaq" title="Create a new FAQ from this question.">Create a new FAQ</a></li> </ul> </div> <div align="center"> To post a message you must <a href="+login">log in</a>. </div> </div> </div> </div> </div> <div id="side-portlets" class="yui-b side"> <div id="involvement" class="portlet"> <ul class="involvement"> <li class="single"> <a class="sprite answers" href="https://answers.launchpad.net/ubuntu/+source/xorg/+addquestion"> Ask a question </a> </li> </ul> </div> <div id="global-actions" class="portlet vertical"> <ul> <li> <a class="menu-link-edit sprite modify edit" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+edit">Edit question</a> </li> </ul> </div> <div class="portlet" id="subscribers"> <h2>Subscribers</h2> <div id="current_user_subscription"> <div><a class="menu-link-subscription sprite add" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+subscribe" title="You will receive email notifications about updates to this question">Subscribe</a></div> </div> <div> <div><a class="menu-link-addsubscriber sprite add" href="https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211/+addsubscriber" title="Launchpad will email that person whenever this question changes">Subscribe someone else</a></div> </div> <div id="other-question-subscribers"></div> </div> </div> </div> <div id="footer" class="footer"> <div class="lp-arcana"> <div class="lp-branding"> <a href="https://launchpad.net/"><img src="/@@/launchpad-footer-logo.svg" alt="Launchpad" width="65" height="18" /></a>  •  <a href="https://launchpad.net/+tour">Take the tour</a>  •  <a href="https://help.launchpad.net/">Read the guide</a>   <form id="globalsearch" method="get" accept-charset="UTF-8" action="https://launchpad.net/+search"> <input type="search" id="search-text" name="field.text" /> <input type="image" src="/@@/search" style="vertical-align:5%" alt="Search Launchpad" /> </form> </div> </div> <div class="colophon"> © 2004 <a href="http://canonical.com/">Canonical Ltd.</a>  •  <a href="https://launchpad.net/legal">Terms of use</a>  •  <a href="https://www.ubuntu.com/legal/dataprivacy">Data privacy</a>  •  <a href="/feedback">Contact Launchpad Support</a>  •  <a href="http://blog.launchpad.net/">Blog</a>  •  <a href="https://canonical.com/careers">Careers</a>  •  <a href="https://ubuntu.social/@launchpadstatus">System status</a> <span id="lp-version">  •  22ade00 (<a href="https://dev.launchpad.net/">Get the code!</a>) </span> </div> </div> </div> <script id="json-cache-script">LP.cache = {"related_features": {}, "context": {"self_link": "https://answers.launchpad.net/api/devel/ubuntu/+source/xorg/+question/152211", "web_link": "https://answers.launchpad.net/ubuntu/+source/xorg/+question/152211", "resource_type_link": "https://answers.launchpad.net/api/devel/#question", "id": 152211, "title": "Please drop the necessity of HTTP referer", "description": "Surely, the referer might help to hamper \"Cross-site request forgery\". But aren't there other strong methods to prevent this kind of attack? I'm really not an expert on Internet security, but I know that the HTTP referer itself is a great privacy leak and all web sites (including home banking, eBay, paypal etc.) except for Lauchpad work without transferred HTTP referers. It is rather enervating to disable and enable (on Opera) the referer only for the Launchpad which is a very nice bulletin board, indeed, but just a bulletin board and not a financial transaction tool.", "status": "Answered", "language_link": "https://answers.launchpad.net/api/devel/+languages/en", "owner_link": "https://answers.launchpad.net/api/devel/~mat974", "assignee_link": null, "answerer_link": null, "answer_link": null, "date_created": "2011-04-09T11:36:11.106126+00:00", "date_due": null, "date_last_query": "2011-04-09T11:36:11.106126+00:00", "date_last_response": "2011-04-10T04:06:09.510752+00:00", "date_solved": null, "target_link": "https://answers.launchpad.net/api/devel/ubuntu/+source/xorg", "messages_collection_link": "https://answers.launchpad.net/api/devel/ubuntu/+source/xorg/+question/152211/messages", "http_etag": "\"605ea712f0aa7af603db38d3c07268e910aebdc9-522f4f27236730c186ee9f6f6c9588453ad8536b\""}};</script> </body>  </html>

CINXE.COM

Question #152211 “Please drop the necessity of HTTP referer” : Questions : xorg package : Ubuntu