[whatwg] Referer header sent with <a ping>? from Darin Fisher on 2008-02-01 (public-whatwg-archive@w3.org from January 2008)

From: Darin Fisher <darinf@gmail.com>
Date: Thu, 31 Jan 2008 17:03:01 -0800
Message-ID: <ec4a571d0801311703u763678cei8fddb21034b55a7a@mail.gmail.com>

On Jan 30, 2008 12:33 PM, Ian Hickson <ian at hixie.ch> wrote:

> On Wed, 23 Jan 2008, Darin Fisher wrote:
> >
> > HTTP auth headers may be required to access the internet (e.g., to pass
> > a request through a proxy server), so this should only apply to the
> > Authorization request header, right?
>
> On Thu, 24 Jan 2008, Kornel Lesinski wrote:
> >
> > I don't think that attack vector discussed on mozilla.dev.platform
> > should be taken so seriously. In my opinion case when <a ping> enables
> > attack (instead of being just one of countless possible attack vectors)
> > is very very unlikely:
> >
> > - If site accepts data from GET as well as POST (e.g. is using PHP's
> > register_globals), then <a ping> is not needed at all -- a better attack
> > can be performed with simple <img src> or <a href>.
> >
> > - If site allows HTML from untrusted source and allows ping to slip
> > through, it is very likely that the site can be tricked to allow other
> > potentially dangerous attributes or scripts.
> >
> > - Because not all browsers/proxies/firewalls send Referer header,
> > public-facing websites have to accept POSTs without Referer, so
> > forbidding Referer for <a ping> may not increase security and even make
> > it harder to protect against CSRF.
> >
> > OTOH Referer can help save bandwidth. Without it page may need to
> > include its own URL in every <a ping> attribute. On pages with lots of
> > links (portals, directories) this can noticeably increases size of HTML.
> >
> > Maybe these problems could be solved with an additional HTTP header in
> > the ping request? e.g.:
> >
> > X-Ping: from="http://example.com/here", to="http://example.com/there"
> >
> > This would make it easy to protect against unwanted ping-originated
> > requests (one could configure server or set up application firewall to
> > filter pings), and URL in <a ping> wouldn't have to contain copies of
> > page's URL and href.
>
> What do people think of this idea:
>
> We make "Referer" always have the value "PING".
>
> We add two headers, "X-Ping-From" which has the value of the page that had
> the link, and "X-Ping-To" which has the value of the page that is being
> opened.
>
> We continue to send all cookie and authentication headers.
>
> What do people think? Would this address all the issues raised?



Seems good to me.  It nicely addresses many of the concerns, and it also
makes <a ping> easier to use since you don't have to encode as much
information into the value of the ping attribute.

I suppose that X-Ping-From/To should be striped (like Referer) when one of
those values is HTTPS and the ping attribute is non-HTTPS?

-Darin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080131/a2d7ec1a/attachment.htm>

Received on Thursday, 31 January 2008 17:03:01 UTC