[whatwg] Referer header sent with <a ping>?
Ian Hickson
ian at hixie.ch
Tue Jan 22 23:27:16 PST 2008
On Tue, 22 Jan 2008, dolphinling wrote:
>
> HTML5 doesn't say anything about whether a referer should be sent with
> the POST generated by <a ping>. There is a new attack vector <a ping>
> opens (as currently being discussed on mozilla.dev.platform) that would
> be blocked if the referer were not sent.
Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate
uses can always include whatever information they want in the ping=""
attribute's value itself.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list