Brian May <bam@debian.org> writes: > I am still a bit unclear in the CVE-2016-4412 / PMASA-2016-57 > vulnerability. Ok, so lets say the vulnerability is in the HTTP_REFERER > having the token. Curiously while I can reproduce this in Firefox, I can't under Chrome, as it doesn't seem to provide the Referer header in this situation. -- Brian May <bam@debian.org>