Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Protect attachment downloads against CSRF #4957
Reported by @thomascube on 16 Jan 2016 16:36 UTC as Trac ticket #1490642
Message attachments are downloaded via GET requests (with
We already have CSRF protection means with session-based request tokens. Requiring such tokens on download urls would add the necessary protection against these unwanted downloads.