Re: [whatwg] Referer header sent with <a ping>?

Kornel Lesinski wrote:
>> How is that better compared not to send the Referer header at all?
> 
> Because not every client sends Referer, web applications have to accept 
> requests without Referer at all. Bogus referer value avoids such 
> whitelisting and can be easily blocked by anti-CSRF mechanisms.

So you want to abuse an HTTP/1.1 to implement blocking of ping requests. 
That's really backwards. Instead, define the ping request in a way it 
can be properly detected.

> Special Content-Type might work equally well -- it can be detected by 
> tools scanning headers only, and should prevent applications from 
> accepting unexpected POST.

See?

> ...

BR, Julian

Received on Saturday, 2 February 2008 10:02:07 UTC