Add referer on post request for CSRF protection bypass issue #138

[spras]

I ran on issue #138 using jackrabbit 2.12.6

Tried to add Referer as proposed in the dissussion, it worked.

Here is my PR

[dbu]

thanks! i just noticed that the master branch is 1.3 and not yet released. there are a couple of things needed until we can release 1.3, mainly releasing jackalope/jackalope 1.3 and #132. its not that easy to release a 1.2 patch version because i would need to cherry-pick quite a few commits into a 1.2 branch for that, sorting out what should go in there and what not... are you using the dev version 1.3 currently?

[spras]

you're right, i was working in sulu, which use the 1.2.2 version

[danrot]

@dbu Any roadmap about the 1.3 release? This change is a really big obstacle for new developer trying jackalope...

[dbu]

good point. currently master is failing on travis - i have to figure out why before i can tag a release. bumped my priority for this.

[dbu]

1.3.0 is now tagged!