[html5] r1170 - /

whatwg at whatwg.org whatwg at whatwg.org
Tue Jan 22 23:29:01 PST 2008 

Author: ianh
Date: 2008-01-22 23:28:55 -0800 (Tue, 22 Jan 2008)
New Revision: 1170

Modified:
   index
   source
Log:
[g] (2) Fix a potential security flaw in ping='' -- http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-January/013637.html

Modified: index
===================================================================
--- index	2008-01-23 07:08:36 UTC (rev 1169)
+++ index	2008-01-23 07:28:55 UTC (rev 1170)
@@ -31046,14 +31046,21 @@
    third-party URIs).
 
   <p>For URIs that are HTTP URIs, the requests must be performed using the
-   POST method (with an empty entity body in the request). User agents must
-   ignore any entity bodies returned in the responses, but must, unless
-   otherwise specified by the user, honour the HTTP headers — in
-   particular, HTTP cookie headers. <a href="#refsRFC2965">[RFC2965]</a>
+   POST method (with an empty entity body in the request). The requests must
+   not include a <code title="">Referer</code> HTTP header, cookies, or HTTP
+   authentication headers.</p>
+  <!-- otherwise,
+  sites that allow users to include <a href="" ping=""> in their
+  content will be vulnerable to same-site request forgeries. -->
 
-  <p class=note>To save bandwidth, implementors might wish to consider
+  <p class=note>To save bandwidth, implementors might also wish to consider
    omitting optional headers such as <code>Accept</code> from these requests.
 
+  <p>User agents must ignore any entity bodies returned in the responses, but
+   must, unless otherwise specified by the user, honor the HTTP headers
+   (including, in particular, redirects and HTTP cookie headers). <a
+   href="#refsRFC2965">[RFC2965]</a>
+
   <p>When the <code title=attr-hyperlink-ping><a href="#ping">ping</a></code>
    attribute is present, user agents should clearly indicate to the user that
    following the hyperlink will also cause secondary requests to be sent in

Modified: source
===================================================================
--- source	2008-01-23 07:08:36 UTC (rev 1169)
+++ source	2008-01-23 07:28:55 UTC (rev 1170)
@@ -28533,16 +28533,21 @@
   URIs).</p>
 
   <p>For URIs that are HTTP URIs, the requests must be performed using
-  the POST method (with an empty entity body in the request). User
-  agents must ignore any entity bodies returned in the responses, but
-  must, unless otherwise specified by the user, honour the HTTP
-  headers — in particular, HTTP cookie headers. <a
-  href="#refsRFC2965">[RFC2965]</a></p>
+  the POST method (with an empty entity body in the request). The
+  requests must not include a <code title="">Referer</code> HTTP
+  header, cookies, or HTTP authentication headers.</p> <!-- otherwise,
+  sites that allow users to include <a href="" ping=""> in their
+  content will be vulnerable to same-site request forgeries. -->
 
-  <p class="note">To save bandwidth, implementors might wish to
+  <p class="note">To save bandwidth, implementors might also wish to
   consider omitting optional headers such as <code>Accept</code> from
   these requests.</p>
 
+  <p>User agents must ignore any entity bodies returned in the
+  responses, but must, unless otherwise specified by the user, honor
+  the HTTP headers (including, in particular, redirects and HTTP
+  cookie headers). <a href="#refsRFC2965">[RFC2965]</a></p>
+
   <p>When the <code title="attr-hyperlink-ping">ping</code> attribute is
   present, user agents should clearly indicate to the user that
   following the hyperlink will also cause secondary requests to be

More information about the Commit-Watchers mailing list