[whatwg] Referer header sent with <a ping>?

Darin Fisher darinf at gmail.com
Thu Jan 31 17:03:01 PST 2008

On Jan 30, 2008 12:33 PM, Ian Hickson <ian at hixie.ch> wrote:

> On Wed, 23 Jan 2008, Darin Fisher wrote:
> >
> > HTTP auth headers may be required to access the internet (e.g., to pass
> > a request through a proxy server), so this should only apply to the
> > Authorization request header, right?
> On Thu, 24 Jan 2008, Kornel Lesinski wrote:
> >
> > I don't think that attack vector discussed on mozilla.dev.platform
> > should be taken so seriously. In my opinion case when <a ping> enables
> > attack (instead of being just one of countless possible attack vectors)
> > is very very unlikely:
> >
> > - If site accepts data from GET as well as POST (e.g. is using PHP's
> > register_globals), then <a ping> is not needed at all -- a better attack
> > can be performed with simple <img src> or <a href>.
> >
> > - If site allows HTML from untrusted source and allows ping to slip
> > through, it is very likely that the site can be tricked to allow other
> > potentially dangerous attributes or scripts.
> >
> > - Because not all browsers/proxies/firewalls send Referer header,
> > public-facing websites have to accept POSTs without Referer, so
> > forbidding Referer for <a ping> may not increase security and even make
> > it harder to protect against CSRF.
> >
> > OTOH Referer can help save bandwidth. Without it page may need to
> > include its own URL in every <a ping> attribute. On pages with lots of
> > links (portals, directories) this can noticeably increases size of HTML.
> >
> > Maybe these problems could be solved with an additional HTTP header in
> > the ping request? e.g.:
> >
> > X-Ping: from="http://example.com/here", to="http://example.com/there"
> >
> > This would make it easy to protect against unwanted ping-originated
> > requests (one could configure server or set up application firewall to
> > filter pings), and URL in <a ping> wouldn't have to contain copies of
> > page's URL and href.
> What do people think of this idea:
> We make "Referer" always have the value "PING".
> We add two headers, "X-Ping-From" which has the value of the page that had
> the link, and "X-Ping-To" which has the value of the page that is being
> opened.
> We continue to send all cookie and authentication headers.
> What do people think? Would this address all the issues raised?

Seems good to me.  It nicely addresses many of the concerns, and it also
makes <a ping> easier to use since you don't have to encode as much
information into the value of the ping attribute.

I suppose that X-Ping-From/To should be striped (like Referer) when one of
those values is HTTPS and the ping attribute is non-HTTPS?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080131/a2d7ec1a/attachment-0001.htm>

More information about the whatwg mailing list