W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Kornel Lesinski <kornel@geekhood.net>
Date: Sat, 02 Feb 2008 00:14:16 -0000
To: "Julian Reschke" <julian.reschke@gmx.de>
Cc: "public-html@w3.org" <public-html@w3.org>
Message-ID: <op.t5vex2ewptj49s@aimac.local>

On Fri, 01 Feb 2008 23:30:32 -0000, Julian Reschke <julian.reschke@gmx.de>  
wrote:

>>> Referer takes a relative reference, or a URI.
>>  Theoretically it does, but I haven't seen UA nor application that  
>> supports it. Anyway, it could be made an URI with useless scheme, like  
>> about:ping.
>
> How is that better compared not to send the Referer header at all?

Because not every client sends Referer, web applications have to accept  
requests without Referer at all. Bogus referer value avoids such  
whitelisting and can be easily blocked by anti-CSRF mechanisms.

Special Content-Type might work equally well -- it can be detected by  
tools scanning headers only, and should prevent applications from  
accepting unexpected POST.

>> Another advantage of headers is that Apache could log pings without  
>> help of any scripts or non-standard modules - LogFormat directive  
>> allows logging of arbitrary headers.
>
> I'm not sure how this is relevant...

IMHO it's an advantage of header-based solution -- instead of having to  
write and execute custom parser, one can set up efficient logging with one  
line of server config.

-- 
regards, Kornel Lesinski
Received on Saturday, 2 February 2008 00:14:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:12 GMT