[whatwg] Referer header sent with <a ping>?

Perhaps this has been suggested before, but another option is to use a
new verb, such as PING, instead of GET when making the request.
Servers unaware of the ping attribute will likely ignore this verb,
mitigating the request-forgery attack vector.

Adam


On Feb 2, 2008 2:13 PM, Julian Reschke <julian.reschke at gmx.de> wrote:
> Ian Hickson wrote:
> > Interesting.
> >
> > I see two ways forward here. One would be to redefine Referer to remove
> > the relative URI thing, since, to my knowledge at least, nobody uses it.
>
> That's IMHO not sufficient reason to remove it. It's not broken.
>
> > The other is that we can define the magic value to be "#PING" instead,
> > since that's a non-conforming Referer value right now.
> >
> > Would that work for people? dolphinling? Darin?
>
> It's not conforming, so are you suggesting to use a non-conforming value?
>
> Me confused.
>
> Could you please state what problem you are trying to solve, and why it
> needs to involve the Referer header?
>
> >>> We add two headers, "X-Ping-From" which has the value of the page that
> >>> had the link, and "X-Ping-To" which has the value of the page that is
> >>> being opened.
> >> You don't need any new headers.
> >>
> >> Define a content type, and send the information you want to transmit in
> >> the request body.
> >
> > The idea, as others have noted, is to keep the entity body empty so as to
> > avoid any issues with servers that ignore the headers and process the body
> > (which is relatively common).
>
> Are you saying it wasn't a good idea to use POST after all because of
> these risks?
>
> BR, Julian
>

Received on Saturday, 2 February 2008 14:19:23 UTC