- From: Kornel Lesinski <kornel@osiolki.net>
- Date: Thu, 24 Jan 2008 01:25:03 -0000
On Wed, 23 Jan 2008 07:27:16 -0000, Ian Hickson <ian at hixie.ch> wrote: >> HTML5 doesn't say anything about whether a referer should be sent with >> the POST generated by <a ping>. There is a new attack vector <a ping> >> opens (as currently being discussed on mozilla.dev.platform) that would >> be blocked if the referer were not sent. > > Fixed. I also said to not include Cookies or HTTP auth headers. > Legitimate uses can always include whatever information they want in the > ping="" > attribute's value itself. Doesn't that kill use of ping for tracking ad clicks? I think ad providers want to have cookies to track individual users across domains, and site that serves <a> is unable to provide that. Maybe ping could allow only cookies with a certain name/naming scheme? I don't think that attack vector discussed on mozilla.dev.platform should be taken so seriously. In my opinion case when <a ping> enables attack (instead of being just one of countless possible attack vectors) is very very unlikely: - If site accepts data from GET as well as POST (e.g. is using PHP's register_globals), then <a ping> is not needed at all -- a better attack can be performed with simple <img src> or <a href>. - If site allows HTML from untrusted source and allows ping to slip through, it is very likely that the site can be tricked to allow other potentially dangerous attributes or scripts. - Because not all browsers/proxies/firewalls send Referer header, public-facing websites have to accept POSTs without Referer, so forbidding Referer for <a ping> may not increase security and even make it harder to protect against CSRF. OTOH Referer can help save bandwidth. Without it page may need to include its own URL in every <a ping> attribute. On pages with lots of links (portals, directories) this can noticeably increases size of HTML. Maybe these problems could be solved with an additional HTTP header in the ping request? e.g.: X-Ping: from="http://example.com/here", to="http://example.com/there" This would make it easy to protect against unwanted ping-originated requests (one could configure server or set up application firewall to filter pings), and URL in <a ping> wouldn't have to contain copies of page's URL and href. -- regards, Kornel Lesi?ski
Received on Wednesday, 23 January 2008 17:25:03 UTC