[whatwg] Referer header sent with <a ping>?

dolphinling lists at dolphinling.net
Tue Jan 22 20:10:40 PST 2008

HTML5 doesn't say anything about whether a referer should be sent with the POST 
generated by <a ping>. There is a new attack vector <a ping> opens (as currently 
being discussed on mozilla.dev.platform) that would be blocked if the referer 
were not sent.

The attack vector relies on the following (not-uncommon) things:

1) There is a site that checks that a request is a POST before doing something 
potentially harmful (note that some sites do this but still respond to query 
parameters in the URL)
2) The server depends on user authentication
3) The server checks the referer before doing something potentially harmful, and 
only allows the action if the referer was from the same server

...And for the attack vector to be *new*, it relies on
4) The server has either an out-of-date blacklist that doesn't block <a ping> or 
a whitelist that explicitly allows <a ping>

(The attack is then obviously <a href="innocentpage" 
ping="userdata?dosomething=evil"> posted on a user-editable part of that server).

I have in the past known sites that fit all 4 criteria (now upgraded to use a 
proper whitelist, though), and I'd be surprised if others didn't exist.

Note that there may be other ways of blocking this attack vector, but the 
question here is whether the referer is needed, as it doesn't seem to make any 
new legitimate things possible, and would help in this case (and perhaps 
others--e.g. privacy).


More information about the whatwg mailing list