- From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
- Date: Thu, 21 Mar 2013 00:41:14 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
Anne van Kesteren <annevk@annevk.nl> schrieb am Wed, 20 Mar 2013 17:31:14 -0400: > If you do an XMLHttpRequest from a document hosted at > /superlonghashkeythatactsasauthenticationtoken you probably do not > want to expose the Referer header. A GET request should be idempotent, so what would be the problem? If subsequent access changes the state of the resource, that seems broken. > Now 1) this document should be > hosted over https so this is less likely to be a concern given actual > implementations of Referer over https and b) for same-origin requests > this matters less (if at all), it still seems better if anonymous is > anonymous. I'd suggest using HMACs instead of hashes for signed action URLs. Right? -- Nils Dagsson Moskopp // erlehmann <http://dieweltistgarnichtso.net>
Received on Wednesday, 20 March 2013 23:41:56 UTC