From 0af14b2eaa0bf0821a8aacc8486489a1eb348397 Mon Sep 17 00:00:00 2001 From: Flávio Juvenal Date: Wed, 24 May 2017 16:36:45 -0700 Subject: Refs #16870 -- Doc'd that CSRF protection requires the Referer header. --- docs/ref/csrf.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'docs') diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 802d7251ab..dd5ea479ae 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -315,7 +315,19 @@ the HOST header ` and that there aren't any (because XSS vulnerabilities already let an attacker do anything a CSRF vulnerability allows and much worse). +.. admonition:: Removing the ``Referer`` header + + To avoid disclosing the referrer URL to third-party sites, you might want + to `disable the referer`_ on your site's ```` tags. For example, you + might use the ```` tag or + include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF + protection's strict referer checking on HTTPS requests, those techniques + cause a CSRF failure on requests with 'unsafe' methods. Instead, use + alternatives like ``"`` for links to third-party + sites. + .. _BREACH: http://breachattack.com/ +.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery Caching ======= -- cgit v1.3