Re: The HTTP Origin Header (draft-abarth-origin)

On Fri, Jan 30, 2009 at 9:23 AM, Mark Nottingham wrote:
> On 25/01/2009, at 10:16 AM, Adam Barth wrote:
>> The essential point which you are misunderstanding is this:
>> 1) The attacker can force a user agent to suppress the Referer header,
>> mimicking a user behind a Referer-stripping proxy.
> Can you walk us through this attack, please? Or give a reference...
Page 6: "Case Study: Facebook" contains an example; though I suspect
other ways of suppressing the Referer.

Thomas Broyer

Received on Friday, 30 January 2009 13:20:17 UTC