- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Sat, 02 Feb 2008 00:14:16 -0000
- To: "Julian Reschke" <julian.reschke@gmx.de>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Fri, 01 Feb 2008 23:30:32 -0000, Julian Reschke <julian.reschke@gmx.de> wrote: >>> Referer takes a relative reference, or a URI. >> Theoretically it does, but I haven't seen UA nor application that >> supports it. Anyway, it could be made an URI with useless scheme, like >> about:ping. > > How is that better compared not to send the Referer header at all? Because not every client sends Referer, web applications have to accept requests without Referer at all. Bogus referer value avoids such whitelisting and can be easily blocked by anti-CSRF mechanisms. Special Content-Type might work equally well -- it can be detected by tools scanning headers only, and should prevent applications from accepting unexpected POST. >> Another advantage of headers is that Apache could log pings without >> help of any scripts or non-standard modules - LogFormat directive >> allows logging of arbitrary headers. > > I'm not sure how this is relevant... IMHO it's an advantage of header-based solution -- instead of having to write and execute custom parser, one can set up efficient logging with one line of server config. -- regards, Kornel Lesinski
Received on Saturday, 2 February 2008 00:14:39 UTC