- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 02 Feb 2008 00:30:32 +0100
- To: Kornel Lesinski <kornel@geekhood.net>
- CC: "public-html@w3.org" <public-html@w3.org>
Kornel Lesinski wrote: >> Referer takes a relative reference, or a URI. > > Theoretically it does, but I haven't seen UA nor application that > supports it. Anyway, it could be made an URI with useless scheme, like > about:ping. How is that better compared not to send the Referer header at all? >> You don't need any new headers. >> >> Define a content type, and send the information you want to transmit >> in the request body. > > The point of it all is to make abuse of ping for CSRF harder, so > standard body formats like www-form-urlencoded or XML are undesirable, > but non-standard formats will require acceess to raw post data and > custom parsers, which isn't as easy as reading headers. So define a custom format. > Another advantage of headers is that Apache could log pings without help > of any scripts or non-standard modules - LogFormat directive allows > logging of arbitrary headers. I'm not sure how this is relevant... BR, Julian
Received on Friday, 1 February 2008 23:30:47 UTC