# information for the search. Because it's a straight-up read, in
# addition to embedding its own auth, it's fine.
'/NoAuth/rss/dhandler' => 1,
+
+ # IE doesn't send referer in window.open()
+ # besides, as a harmless calendar select page, it's fine
+ '/Helpers/CalPopup.html' => 1,
+
+ # While both of these can be used for denial-of-service against RT
+ # (construct a very inefficient query and trick lots of users into
+ # running them against RT) it's incredibly useful to be able to link
+ # to a search result or bookmark a result page.
+ '/Search/Results.html' => 1,
+ '/Search/Simple.html' => 1,
);
sub IsCompCSRFWhitelisted {
projects / freeside.git / blobdiff