[whatwg] Referer header sent with <a ping>?
Ian Hickson
ian at hixie.ch
Wed Feb 20 11:26:38 PST 2008
On Wed, 13 Feb 2008, Kornel Lesinski wrote:
>
> That's interesting. In that case attack outlined on Mozilla's list is
> even less likely to succeed than I thought. So maybe a "less abusive"
> approach would suffice:
>
> * if ping is cross-domain, always send Referer
> * if ping originates from the same domain, don't send any Referer at all
Ok, I've done that instead.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list