W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 11 Feb 2008 07:08:20 +0000 (UTC)
To: Julian Reschke <julian.reschke@gmx.de>
Cc: "public-html@w3.org" <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0802110509590.20115@hixie.dreamhostps.com>

On Sun, 10 Feb 2008, Julian Reschke wrote:
> Ian Hickson wrote:
> > > > As noted by others, no Referer header is treated as a local Referer
> > > > header, which makes it susceptible to XSRF.
> > > Not sure what a "local" referer header would be.
> > > 
> > > I'm not sure which mail you are referring to (pointer, please), is 
> > > it 
> > > <http://lists.w3.org/Archives/Public/public-html/2008Feb/0014.html>?
> > 
> > Yes, that describes the problem. By "local" referrer I mean one that 
> > specifies a page with the same origin as the target URI.
> 
> So you're saying that recipients treat the absence of a Referer header 
> as indication the offering page was from the same origin?

More or less. What's really going on is that many pages treat a referer 
from an unexpected domain as a sign that a XSRF is being attempted, but 
treat the lack of referer or a referer from the same domain as being ok. 
Lack of referer is usually treated this way in order to handle users with 
software configured to strip all referers. (Many sites use a more secure 
variant where no referrer is treated as a remote site referrer, but this 
means the sites are unusable without referrer headers.)


> That would IMHO be contrary to what RFC2616 defines (the absence of the 
> Referer header means that the Referrer either doesn't have a URI, or the 
> client doesn't want to reveal it).

I don't think this is of much concern to many Web authors.


> Pointers, please.

I have no idea how to demonstrate this.


> > > > > Kornel wrote:
> > > > > > Another advantage of headers is that Apache could log pings 
> > > > > > without help of any scripts or non-standard modules - 
> > > > > > LogFormat directive allows logging of arbitrary headers.
> > > > >
> > > > > I'm not sure how this is relevant...
> > > >
> > > > It seems extremely relevant, as it enables cheap server-side use 
> > > > instead of requiring heavy lifting for the author.
> > >
> > > For the author?
> > 
> > Indeed.
> 
> How is the author affected?

I assume we are talking at cross-purposes here. The author would be the 
one setting up the logging of the pings. Thus anything that makes that 
affects how to log pings clearly affects the author.


> > Yes, absolutely. Indeed it's one of our principles:
> >    
> > http://www.w3.org/TR/html-design-principles/#priority-of-constituencies
> > 
> > Interoperability and compatibility with existing deployed servers is 
> > orders of magnitude more important to me than pedantic compliance to 
> > other specifications. Specifications exist to help move civilisation 
> > forward, not to provide arbitrary restrictions on progress. When a 
> > specification gets in the way of improving the Web, it should be 
> > changed or displaced.
> 
> I think you're reading something into the design principle it doesn't 
> say.

Well, that's what I meant when I contributed to that principle, so if it 
doesn't convey that to you, then it should be edited to make that clearer.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 February 2008 07:08:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:52 UTC