[whatwg] Referer header sent with <a ping>?

Ian Hickson ian at hixie.ch
Tue Jan 22 23:27:16 PST 2008


On Tue, 22 Jan 2008, dolphinling wrote:
>
> HTML5 doesn't say anything about whether a referer should be sent with 
> the POST generated by <a ping>. There is a new attack vector <a ping> 
> opens (as currently being discussed on mozilla.dev.platform) that would 
> be blocked if the referer were not sent.

Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate 
uses can always include whatever information they want in the ping="" 
attribute's value itself.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list