[whatwg] Referer header sent with <a ping>?

Darin Fisher darinf at gmail.com
Wed Jan 23 08:52:31 PST 2008


HTTP auth headers may be required to access the internet (e.g., to pass a
request through a proxy server), so this should only apply to the
Authorization request header, right?
-Darin


On Jan 22, 2008 11:27 PM, Ian Hickson <ian at hixie.ch> wrote:

> On Tue, 22 Jan 2008, dolphinling wrote:
> >
> > HTML5 doesn't say anything about whether a referer should be sent with
> > the POST generated by <a ping>. There is a new attack vector <a ping>
> > opens (as currently being discussed on mozilla.dev.platform) that would
> > be blocked if the referer were not sent.
>
> Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate
> uses can always include whatever information they want in the ping=""
> attribute's value itself.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080123/158d85fc/attachment-0001.htm>


More information about the whatwg mailing list