Some Hydra API requests were vulnerable to XSRF attacks, e.g. you could have a form on another website using http://hydra/logout as the form action. So we now require POST requests to come from the same origin.
Reported by Hans-Christian Esperer.
2P35LNRY3ZWGLARBNWLQEW2QPS3CTK4Z677ZZYFX4GLVNLUONYBAC
# XSRF protection: require POST requests to have the same origin.
if ($c->req->method eq "POST") {
my $referer = $c->req->header('Origin');
$referer //= $c->req->header('Referer');
my $base = $c->req->base;
error($c, "POST requests should come from ‘$base’")
unless defined $referer && $referer eq $base;
}