[whatwg] Referer header sent with <a ping>?

On Tue, 12 Feb 2008 21:54:25 -0000, Philip Taylor <pjt47 at cam.ac.uk> wrote:

> It's quite a different situation when the Referer is used as a security  
> measure in deciding to trust a user's request, where false negatives can  
> have significant consequences (like editing data via cross-site request  
> forgery). That is the situation where <a ping> mustn't introduce new  
> risks.
>
> I looked for some examples of code that checks the Referer for security,  
> and found:
[...]

That's interesting. In that case attack outlined on Mozilla's list is even  
less likely to succeed than I thought. So maybe a "less abusive" approach  
would suffice:

* if ping is cross-domain, always send Referer
* if ping originates from the same domain, don't send any Referer at all

-- 
regards, Kornel Lesi?ski

Received on Tuesday, 12 February 2008 16:32:39 UTC