Important: #83768 - Remove referrer check¶
See Issue #83768
Browser vendors are considering or have already announced not to send the referrer URL/path in HTTP requests when links are followed or forms are submitted due to privacy reasons. TYPO3 used the referrer as a meagre CSRF protection for the backend. However, this has been replaced by proper CSRF protection tokens for every backend action and therefore, the referrer check became obsolete and has been removed.
Usages of the configuration option
[SYS][doNotCheckReferer] within TYPO3 Core have been removed, as this is not
needed anymore. However, the option can still be set for extensions implementing this option.
Backend users will not notice any differences.
All installations are affected.
TYPO3 extensions that use option
[SYS][doNotCheckReferer] to implement a kind of CSRF protection, should use
proper CSRF protection tokens provided by the core.