summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorFlávio Juvenal <flaviojuvenal@gmail.com>2017-05-24 16:36:45 -0700
committerTim Graham <timograham@gmail.com>2017-06-22 11:50:00 -0400
commit0af14b2eaa0bf0821a8aacc8486489a1eb348397 (patch)
tree36aeed00ae415f909278cea45e3d242990e39599 /docs/ref
parente1cd5a76d739210ae3b45d2c5f1ac7a556d6fa53 (diff)
Refs #16870 -- Doc'd that CSRF protection requires the Referer header.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/csrf.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 802d7251ab..dd5ea479ae 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
(because XSS vulnerabilities already let an attacker do anything a CSRF
vulnerability allows and much worse).
+.. admonition:: Removing the ``Referer`` header
+
+ To avoid disclosing the referrer URL to third-party sites, you might want
+ to `disable the referer`_ on your site's ``<a>`` tags. For example, you
+ might use the ``<meta name="referrer" content="no-referrer">`` tag or
+ include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
+ protection's strict referer checking on HTTPS requests, those techniques
+ cause a CSRF failure on requests with 'unsafe' methods. Instead, use
+ alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
+ sites.
+
.. _BREACH: http://breachattack.com/
+.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
Caching
=======