Stop comparing current URL to referrer
As far as I can recall, comparing the current URL to the referrer URL
served two purposes:
- Protection against CSRF attacks, even ones with a valid CSRF token, that came from the wrong referrer.
- Determining if the current request was submitted against this form or a different one (e.g. the redirects to advanced or bulk mode).
I believe the first purpose is no longer relevant. The CSRF token alone
was not enough to protect against other Toolforge tools, back when they
were still hosted on the same domain and could therefore read this
tool’s forms without CORS, but now that the tool has its own domain, we
should no longer need anything other than the token. And the second
purpose can be better handled by adding some hidden inputs that identify
the current form. This lets us avoid the URL comparisons, which have
always been fragile due to various issues (most recently, encoding of
unusual query arguments and non-ASCII template names). The current_url()
function is kept, for now, but I believe it can soon be removed, and the
remaining users can use flask.request.url instead.