- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 23 Jan 2008 07:27:16 +0000 (UTC)
On Tue, 22 Jan 2008, dolphinling wrote: > > HTML5 doesn't say anything about whether a referer should be sent with > the POST generated by <a ping>. There is a new attack vector <a ping> > opens (as currently being discussed on mozilla.dev.platform) that would > be blocked if the referer were not sent. Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate uses can always include whatever information they want in the ping="" attribute's value itself. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 22 January 2008 23:27:16 UTC