On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote: > would it be safe to check > that if a referer is present, it contains the sites' domain name, Yes. > but if it > isn't, it most likely wouldn't have been referenced in an <img> tag or > submitted via JavaScript? You mean it's safe/legitimate? No. Client-pull META tags generate requests without Referers, as I've said a couple times in this thread, and in previous Bugtraq discussions, too. :-) If you don't see the Referer, you can't trust the request. Your best bet is to lock out users who won't pass Referers. Or at least, when you initialize a user session, note if they seem to be passing Referer values. If they are, then you should certainly reject any later request that seems to be theirs, but lacks a Referer header. Note that in some cases, MSIE won't send a Referer if the TARGET of a link is a different window, or that used to be the case. This is messy. -Peter
- Re: The Dangers of Allowing Users to Post Images Ben Gollmer
- Cross-Site Request Forgeries (Re: The Dangers of... Peter W
- Re: Cross-Site Request Forgeries (Re: The D... Chris Lambert
- Re: The Dangers of Allowing Users to Post Images Chris Lambert
- Re: The Dangers of Allowing Users to Post I... Ryan Kennedy
- Re: The Dangers of Allowing Users to Post Images Chris Lambert
- Re: The Dangers of Allowing Users to Post Images David Dreezer
- Re: The Dangers of Allowing Users to Post Images Chris Lambert
- Re: The Dangers of Allowing Users to Post Images Chris Lambert
- Re: The Dangers of Allowing Users to Post I... Peter W
- Re: The Dangers of Allowing Users to Po... Jason Brooke
- Re: The Dangers of Allowing Users to Post Images Dmitry Yu. Bolkhovityanov
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom
- Re: The Dangers of Allowing Users to Post Images John Percival
- Re: The Dangers of Allowing Users to Post I... Michal Szokolo
- Re: The Dangers of Allowing Users to Po... Travis Siegel
- Re: The Dangers of Allowing Users to Post I... Jeffrey W. Baker
