[whatwg] Referer header sent with <a ping>?

On Wed, 23 Jan 2008 07:27:16 -0000, Ian Hickson <ian at hixie.ch> wrote:

>> HTML5 doesn't say anything about whether a referer should be sent with
>> the POST generated by <a ping>. There is a new attack vector <a ping>
>> opens (as currently being discussed on mozilla.dev.platform) that would
>> be blocked if the referer were not sent.
>
> Fixed. I also said to not include Cookies or HTTP auth headers.  
> Legitimate uses can always include whatever information they want in the  
> ping=""
> attribute's value itself.

Doesn't that kill use of ping for tracking ad clicks? I think ad providers  
want to have cookies to track individual users across domains, and site  
that serves <a> is unable to provide that. Maybe ping could allow only  
cookies with a certain name/naming scheme?


I don't think that attack vector discussed on mozilla.dev.platform should  
be taken so seriously. In my opinion case when <a ping> enables attack  
(instead of being just one of countless possible attack vectors) is very  
very unlikely:

- If site accepts data from GET as well as POST (e.g. is using PHP's  
register_globals), then <a ping> is not needed at all -- a better attack  
can be performed with simple <img src> or <a href>.
- If site allows HTML from untrusted source and allows ping to slip  
through, it is very likely that the site can be tricked to allow other  
potentially dangerous attributes or scripts.
- Because not all browsers/proxies/firewalls send Referer header,  
public-facing websites have to accept POSTs without Referer, so forbidding  
Referer for <a ping> may not increase security and even make it harder to  
protect against CSRF.

OTOH Referer can help save bandwidth. Without it page may need to include  
its own URL in every <a ping> attribute. On pages with lots of links  
(portals, directories) this can noticeably increases size of HTML.

Maybe these problems could be solved with an additional HTTP header in the  
ping request? e.g.:

X-Ping: from="http://example.com/here", to="http://example.com/there"

This would make it easy to protect against unwanted ping-originated  
requests (one could configure server or set up application firewall to  
filter pings), and URL in <a ping> wouldn't have to contain copies of  
page's URL and href.

-- 
regards, Kornel Lesi?ski

Received on Wednesday, 23 January 2008 17:25:03 UTC