- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 02 Feb 2008 11:01:43 +0100
- To: Kornel Lesinski <kornel@geekhood.net>
- CC: "public-html@w3.org" <public-html@w3.org>
Kornel Lesinski wrote: >> How is that better compared not to send the Referer header at all? > > Because not every client sends Referer, web applications have to accept > requests without Referer at all. Bogus referer value avoids such > whitelisting and can be easily blocked by anti-CSRF mechanisms. So you want to abuse an HTTP/1.1 to implement blocking of ping requests. That's really backwards. Instead, define the ping request in a way it can be properly detected. > Special Content-Type might work equally well -- it can be detected by > tools scanning headers only, and should prevent applications from > accepting unexpected POST. See? > ... BR, Julian
Received on Saturday, 2 February 2008 10:02:07 UTC