- From: Adam Barth <hk9565@gmail.com>
- Date: Sat, 2 Feb 2008 14:19:23 -0800
Perhaps this has been suggested before, but another option is to use a new verb, such as PING, instead of GET when making the request. Servers unaware of the ping attribute will likely ignore this verb, mitigating the request-forgery attack vector. Adam On Feb 2, 2008 2:13 PM, Julian Reschke <julian.reschke at gmx.de> wrote: > Ian Hickson wrote: > > Interesting. > > > > I see two ways forward here. One would be to redefine Referer to remove > > the relative URI thing, since, to my knowledge at least, nobody uses it. > > That's IMHO not sufficient reason to remove it. It's not broken. > > > The other is that we can define the magic value to be "#PING" instead, > > since that's a non-conforming Referer value right now. > > > > Would that work for people? dolphinling? Darin? > > It's not conforming, so are you suggesting to use a non-conforming value? > > Me confused. > > Could you please state what problem you are trying to solve, and why it > needs to involve the Referer header? > > >>> We add two headers, "X-Ping-From" which has the value of the page that > >>> had the link, and "X-Ping-To" which has the value of the page that is > >>> being opened. > >> You don't need any new headers. > >> > >> Define a content type, and send the information you want to transmit in > >> the request body. > > > > The idea, as others have noted, is to keep the entity body empty so as to > > avoid any issues with servers that ignore the headers and process the body > > (which is relatively common). > > Are you saying it wasn't a good idea to use POST after all because of > these risks? > > BR, Julian >
Received on Saturday, 2 February 2008 14:19:23 UTC