Reply to thread

True. IMHO that should be changed (i.e. turn these into POST requests). In modern browsers (unfortunately not in Safari, as always ;)) there is even a solution for GET requests: https://web.dev/fetch-metadata/ (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site)



I'd guess that not many users have a browser that is both old (doesn't send the "Origin" header) and has an extension that blocks the "Referer" header. I might be wrong but as a fallback (!), checking the "Referer" header would be good enough IMHO.


Back
Top Bottom