>>>>> On Sun, 10 Feb 2013 14:48:27 -0500, Leonardo Uribe <lu4242_at_gmail.com> said:
[...]
LU> So, it is valid to check Referer header if present (just the usual: server,
LU> port, context path, that the view exists ...), but the Token must be check
LU> always for non postback requests (remember postback contains
LU> javax.faces.ViewState token). Inclusive, we could check for the Origin
LU> Header if present just for consistency suggested in the owasp.org
LU> wiki.
Leonardo, are you suggesting that we drop the "Otherwise, try to
determine if the value of the Referer header corresponds to any of the
views in the current web application." text?
Also, can you please tell us exactly what you want to have done with the
Origin header?
Note that the original requirements for the issue did not include
Referer spoofing protection, though I'd like to see how we can include
that as well.
Ed
--