[whatwg] Referer header sent with <a ping>?

On Feb 1, 2008 2:45 PM, Julian Reschke <julian.reschke at gmx.de> wrote:

> Ian Hickson wrote:
> >> This would make it easy to protect against unwanted ping-originated
> >> requests (one could configure server or set up application firewall to
> >> filter pings), and URL in <a ping> wouldn't have to contain copies of
> >> page's URL and href.
> >
> > What do people think of this idea:
> >
> > We make "Referer" always have the value "PING".
>
> Referer takes a relative reference, or a URI. Not a good idea.
>

Indeed :(

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36




>
> > We add two headers, "X-Ping-From" which has the value of the page that
> had
> > the link, and "X-Ping-To" which has the value of the page that is being
> > opened.
>
> You don't need any new headers.
>
> Define a content type, and send the information you want to transmit in
> the request body.
>
> > We continue to send all cookie and authentication headers.
> >
> > What do people think? Would this address all the issues raised?
>
>
> BR, Julian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080202/69d5f7ef/attachment.htm>

Received on Saturday, 2 February 2008 08:10:42 UTC