- From: Darin Fisher <darinf@gmail.com>
- Date: Wed, 23 Jan 2008 08:52:31 -0800
HTTP auth headers may be required to access the internet (e.g., to pass a request through a proxy server), so this should only apply to the Authorization request header, right? -Darin On Jan 22, 2008 11:27 PM, Ian Hickson <ian at hixie.ch> wrote: > On Tue, 22 Jan 2008, dolphinling wrote: > > > > HTML5 doesn't say anything about whether a referer should be sent with > > the POST generated by <a ping>. There is a new attack vector <a ping> > > opens (as currently being discussed on mozilla.dev.platform) that would > > be blocked if the referer were not sent. > > Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate > uses can always include whatever information they want in the ping="" > attribute's value itself. > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080123/158d85fc/attachment.htm>
Received on Wednesday, 23 January 2008 08:52:31 UTC