- From: Kornel Lesinski <kornel@osiolki.net>
- Date: Wed, 13 Feb 2008 00:32:39 -0000
On Tue, 12 Feb 2008 21:54:25 -0000, Philip Taylor <pjt47 at cam.ac.uk> wrote: > It's quite a different situation when the Referer is used as a security > measure in deciding to trust a user's request, where false negatives can > have significant consequences (like editing data via cross-site request > forgery). That is the situation where <a ping> mustn't introduce new > risks. > > I looked for some examples of code that checks the Referer for security, > and found: [...] That's interesting. In that case attack outlined on Mozilla's list is even less likely to succeed than I thought. So maybe a "less abusive" approach would suffice: * if ping is cross-domain, always send Referer * if ping originates from the same domain, don't send any Referer at all -- regards, Kornel Lesi?ski
Received on Tuesday, 12 February 2008 16:32:39 UTC