Protect attachment downloads against CSRF #4957
Reported by @thomascube on 16 Jan 2016 16:36 UTC as Trac ticket #1490642
Message attachments are downloaded via GET requests (with
We already have CSRF protection means with session-based request tokens. Requiring such tokens on download urls would add the necessary protection against these unwanted downloads.
The text was updated successfully, but these errors were encountered: