On Fri, Aug 27, 2010 at 7:53 PM, Luke Plant <l.plant...@cantab.net> wrote: > <snip> > Finally, the only time we need Referer headers sent is for same origin > requests (POST requests to be exact). Sending the Referer header in > this case is virtually never a privacy concern, since the site will > already be able to track what other pages you have visited on their > site. So, if this turns out to be a problem, we could possibly ask > Mozilla (and other browsers) to add special casing for this (e.g. make > the 'sendRefererHeader' option only apply to cross domain requests). > > By the way, we are not the only ones doing this. Other people have > suggested that strict Referer checking under HTTPS is a very effective > and simple way to combat CSRF [1]. > > Luke > > [1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf >
Any sort of Referer checking is broken by design, since that header is clearly optional. RFC 2616 makes explicitly clear that applications should not rely on Referer being sent. Any argument that sending it "is virtually never a privacy concern" is moot; you must not rely on the existence of that header, even if it is a useful tool in 99% of cases. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
