[whatwg] Referer header sent with <a ping>?
Kornel Lesinski
kornel at osiolki.net
Tue Feb 12 16:32:39 PST 2008
On Tue, 12 Feb 2008 21:54:25 -0000, Philip Taylor <pjt47 at cam.ac.uk> wrote:
> It's quite a different situation when the Referer is used as a security
> measure in deciding to trust a user's request, where false negatives can
> have significant consequences (like editing data via cross-site request
> forgery). That is the situation where <a ping> mustn't introduce new
> risks.
>
> I looked for some examples of code that checks the Referer for security,
> and found:
[...]
That's interesting. In that case attack outlined on Mozilla's list is even
less likely to succeed than I thought. So maybe a "less abusive" approach
would suffice:
* if ping is cross-domain, always send Referer
* if ping originates from the same domain, don't send any Referer at all
--
regards, Kornel Lesiński
More information about the whatwg
mailing list