Learned Backstage types, I have invented an algorithm for checking that when a client C accesses a resource M on server S, it can only do so if it also has access to a referring resource R and defines its HTTP User-Agent to be one of a pre-defined list of permitted agents. When C makes the request to S for M, it must include a key, K, which is the result of an sha256-hmac on the contents of R (which both the server and client must have access to, although either could conceivably cache the value of K) using the User-Agent string as the HMAC key.
Thus, in order to request M, the client must supply a User-Agent, Referrer and key, K, which all match what the server expects. This goes beyond “dumb” referrer and user-agent checking in that the client must have (or have had recently) access to R in order to correctly generate the key. A sample implementation is here: http://gist.github.com/325815 I’ve written it up here: http://nevali.net/post/435363058/user-agent-referrer-verification Thoughts welcome. M. -- mo mcroberts http://nevali.net iChat: mo.mcrobe...@me.com Jabber/GTalk: m...@ilaven.net Twitter: @nevali Run Leopard or Snow Leopard? Set Quick Look free with DropLook - http://labs.jazzio.com/DropLook/ - Sent via the backstage.bbc.co.uk discussion group. To unsubscribe, please visit http://backstage.bbc.co.uk/archives/2005/01/mailing_list.html. Unofficial list archive: http://www.mail-archive.com/backstage@lists.bbc.co.uk/