[whatwg] Referer header sent with <a ping>?
Darin Fisher
darinf at gmail.com
Wed Jan 23 08:52:31 PST 2008
HTTP auth headers may be required to access the internet (e.g., to pass a
request through a proxy server), so this should only apply to the
Authorization request header, right?
-Darin
On Jan 22, 2008 11:27 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Tue, 22 Jan 2008, dolphinling wrote:
> >
> > HTML5 doesn't say anything about whether a referer should be sent with
> > the POST generated by <a ping>. There is a new attack vector <a ping>
> > opens (as currently being discussed on mozilla.dev.platform) that would
> > be blocked if the referer were not sent.
>
> Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate
> uses can always include whatever information they want in the ping=""
> attribute's value itself.
>
> --
> Ian Hickson U+1047E )\._.,--....,'``. fL
> http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
> Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080123/158d85fc/attachment-0001.htm>
More information about the whatwg
mailing list