https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37407 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- At a glance, this should work, but... conventional wisdom is that HTTP Referer/document.referrer shouldn't be used for security. This feels like a workaround. That said, at the moment, I can't see a particular technical flaw in it. In the context that document.referrer is being used... I can't see a way it could be manipulated to trigger this form submit (other than XSS but that's an issue for token based anti-CSRF too). I thought Javascript could manipulate the Referer for AJAX requests, but the Internet tells me that's not the case. So yeah... I think this is OK, but I don't like it. So I won't Fail QA, but I'm not going to Pass QA either. A different QAer may feel differently. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.