[whatwg] Referer header sent with <a ping>?

[Ian Hickson]

On Tue, 22 Jan 2008, dolphinling wrote:
>
> HTML5 doesn't say anything about whether a referer should be sent with 
> the POST generated by <a ping>. There is a new attack vector <a ping> 
> opens (as currently being discussed on mozilla.dev.platform) that would 
> be blocked if the referer were not sent.

Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate 
uses can always include whatever information they want in the ping="" 
attribute's value itself.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'