gerv at mozilla.org
Mon Mar 13 14:23:10 PST 2006
Darin Fisher wrote:
> Keep in mind that there is also the problem that the POST request may
> have undesirable side-effects. The web app probably needs a request
> header from the browser to tell it what domain is sending it data. The
> Referer header is not sufficient since the browser will not send a HTTPS
> referrer-URI over plaintext.
And Referer, of course, is optional. And having something which is
compulsory might raise privacy issues.
> We need to restrict READs as well as WRITEs when it comes to XSS ;-)
Good point; I'd forgotten that.
More information about the whatwg