[whatwg] Referer header sent with <a ping>?
lists at dolphinling.net
Tue Jan 22 20:10:40 PST 2008
HTML5 doesn't say anything about whether a referer should be sent with the POST
generated by <a ping>. There is a new attack vector <a ping> opens (as currently
being discussed on mozilla.dev.platform) that would be blocked if the referer
were not sent.
The attack vector relies on the following (not-uncommon) things:
1) There is a site that checks that a request is a POST before doing something
potentially harmful (note that some sites do this but still respond to query
parameters in the URL)
2) The server depends on user authentication
3) The server checks the referer before doing something potentially harmful, and
only allows the action if the referer was from the same server
...And for the attack vector to be *new*, it relies on
4) The server has either an out-of-date blacklist that doesn't block <a ping> or
a whitelist that explicitly allows <a ping>
(The attack is then obviously <a href="innocentpage"
ping="userdata?dosomething=evil"> posted on a user-editable part of that server).
I have in the past known sites that fit all 4 criteria (now upgraded to use a
proper whitelist, though), and I'd be surprised if others didn't exist.
Note that there may be other ways of blocking this attack vector, but the
question here is whether the referer is needed, as it doesn't seem to make any
new legitimate things possible, and would help in this case (and perhaps
More information about the whatwg