W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 02 Feb 2008 00:30:32 +0100
Message-ID: <47A3AB98.4050302@gmx.de>
To: Kornel Lesinski <kornel@geekhood.net>
CC: "public-html@w3.org" <public-html@w3.org>

Kornel Lesinski wrote:
>> Referer takes a relative reference, or a URI.
> 
> Theoretically it does, but I haven't seen UA nor application that 
> supports it. Anyway, it could be made an URI with useless scheme, like 
> about:ping.

How is that better compared not to send the Referer header at all?

>> You don't need any new headers.
>>
>> Define a content type, and send the information you want to transmit 
>> in the request body.
> 
> The point of it all is to make abuse of ping for CSRF harder, so 
> standard body formats like www-form-urlencoded or XML are undesirable, 
> but non-standard formats will require acceess to raw post data and 
> custom parsers, which isn't as easy as reading headers.

So define a custom format.

> Another advantage of headers is that Apache could log pings without help 
> of any scripts or non-standard modules - LogFormat directive allows 
> logging of arbitrary headers.

I'm not sure how this is relevant...

BR, Julian
Received on Friday, 1 February 2008 23:30:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:12 GMT