W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 02 Feb 2008 11:01:43 +0100
Message-ID: <47A43F87.3050602@gmx.de>
To: Kornel Lesinski <kornel@geekhood.net>
CC: "public-html@w3.org" <public-html@w3.org> 

Kornel Lesinski wrote:
>> How is that better compared not to send the Referer header at all?
> 
> Because not every client sends Referer, web applications have to accept 
> requests without Referer at all. Bogus referer value avoids such 
> whitelisting and can be easily blocked by anti-CSRF mechanisms.

So you want to abuse an HTTP/1.1 to implement blocking of ping requests. 
That's really backwards. Instead, define the ping request in a way it 
can be properly detected.

> Special Content-Type might work equally well -- it can be detected by 
> tools scanning headers only, and should prevent applications from 
> accepting unexpected POST.

See?

> ...

BR, Julian
Received on Saturday, 2 February 2008 10:02:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:09 GMT