- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Fri, 30 Jan 2009 14:19:36 +0100
- To: ietf-http-wg@w3.org
On Fri, Jan 30, 2009 at 9:23 AM, Mark Nottingham wrote: > > On 25/01/2009, at 10:16 AM, Adam Barth wrote: >> >> The essential point which you are misunderstanding is this: >> >> 1) The attacker can force a user agent to suppress the Referer header, >> mimicking a user behind a Referer-stripping proxy. > > Can you walk us through this attack, please? Or give a reference... http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf Page 6: "Case Study: Facebook" contains an example; though I suspect other ways of suppressing the Referer. -- Thomas Broyer
Received on Friday, 30 January 2009 13:20:17 UTC