W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Kornel Lesinski <kornel@geekhood.net>
Date: Fri, 01 Feb 2008 23:17:59 -0000
To: "Julian Reschke" <julian.reschke@gmx.de>
Cc: "public-html@w3.org" <public-html@w3.org>
Message-ID: <op.t5vcceg0ptj49s@aimac.local>

On Fri, 01 Feb 2008 22:45:37 -0000, Julian Reschke <julian.reschke@gmx.de>  
wrote:

>>> This would make it easy to protect against unwanted ping-originated  
>>> requests (one could configure server or set up application firewall to  
>>> filter pings), and URL in <a ping> wouldn't have to contain copies of  
>>> page's URL and href.
>>  What do people think of this idea:
>>  We make "Referer" always have the value "PING".
>
> Referer takes a relative reference, or a URI.

Theoretically it does, but I haven't seen UA nor application that supports  
it. Anyway, it could be made an URI with useless scheme, like about:ping.

>> We add two headers, "X-Ping-From" which has the value of the page that  
>> had the link, and "X-Ping-To" which has the value of the page that is  
>> being opened.
>
> You don't need any new headers.
>
> Define a content type, and send the information you want to transmit in  
> the request body.

The point of it all is to make abuse of ping for CSRF harder, so standard  
body formats like www-form-urlencoded or XML are undesirable, but  
non-standard formats will require acceess to raw post data and custom  
parsers, which isn't as easy as reading headers.

Another advantage of headers is that Apache could log pings without help  
of any scripts or non-standard modules - LogFormat directive allows  
logging of arbitrary headers.

-- 
regards, Kornel Lesinski
Received on Friday, 1 February 2008 23:18:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:52 UTC