- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 22 Jan 2009 17:47:59 -0800
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Thu, Jan 22, 2009 at 4:41 PM, Roy T. Fielding <fielding@gbiv.com> wrote: > I don't understand -- the only case that would be affected > is the one wherein no Referer is sent today. The problematic case is when the Referer header is suppressed by the network (e.g., proxies). In this case, the Referer header is suppressed regardless of its value. Choosing a different value will not help Web sites defend themselves against CSRF. Adam
Received on Friday, 23 January 2009 01:48:39 UTC