On 2015-05-12 09:15, Reindl Harald wrote:

if that would work it would deserve a bugreport and a CVE because you would bypass the http://en.wikipedia.org/wiki/Cross-site_request_forgery protection

I don't see why that would be the case. It's similar to entering https://www.google.com/?q=query+string into your browser's address bar.

This wouldn't require any loss of security as RC can already verify authentication state before processing a request. For example, if you request this URL before logging in, you'll get a login page rather than the actual mailbox: https://roundcube/?_task=mail&_mbox=Archive is requested the same as if you were to request https://roundcube/?_task=mail&_mbox=Not%20Real

It may not be possible with RC, but that's what I want to understand.