W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2008

[whatwg] Referer header sent with <a ping>?

From: Darin Fisher <darinf@gmail.com>
Date: Wed, 23 Jan 2008 08:52:31 -0800
Message-ID: <ec4a571d0801230852u41913d2dydd3bec86f40e8b0c@mail.gmail.com>
HTTP auth headers may be required to access the internet (e.g., to pass a
request through a proxy server), so this should only apply to the
Authorization request header, right?
-Darin


On Jan 22, 2008 11:27 PM, Ian Hickson <ian at hixie.ch> wrote:

> On Tue, 22 Jan 2008, dolphinling wrote:
> >
> > HTML5 doesn't say anything about whether a referer should be sent with
> > the POST generated by <a ping>. There is a new attack vector <a ping>
> > opens (as currently being discussed on mozilla.dev.platform) that would
> > be blocked if the referer were not sent.
>
> Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate
> uses can always include whatever information they want in the ping=""
> attribute's value itself.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080123/158d85fc/attachment.htm>
Received on Wednesday, 23 January 2008 08:52:31 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC