- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Fri, 01 Feb 2008 23:17:59 -0000
- To: "Julian Reschke" <julian.reschke@gmx.de>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Fri, 01 Feb 2008 22:45:37 -0000, Julian Reschke <julian.reschke@gmx.de> wrote: >>> This would make it easy to protect against unwanted ping-originated >>> requests (one could configure server or set up application firewall to >>> filter pings), and URL in <a ping> wouldn't have to contain copies of >>> page's URL and href. >> What do people think of this idea: >> We make "Referer" always have the value "PING". > > Referer takes a relative reference, or a URI. Theoretically it does, but I haven't seen UA nor application that supports it. Anyway, it could be made an URI with useless scheme, like about:ping. >> We add two headers, "X-Ping-From" which has the value of the page that >> had the link, and "X-Ping-To" which has the value of the page that is >> being opened. > > You don't need any new headers. > > Define a content type, and send the information you want to transmit in > the request body. The point of it all is to make abuse of ping for CSRF harder, so standard body formats like www-form-urlencoded or XML are undesirable, but non-standard formats will require acceess to raw post data and custom parsers, which isn't as easy as reading headers. Another advantage of headers is that Apache could log pings without help of any scripts or non-standard modules - LogFormat directive allows logging of arbitrary headers. -- regards, Kornel Lesinski
Received on Friday, 1 February 2008 23:18:37 UTC