I don't think browser javascript can manipulate the Referrer header. So it seems like a reasonable precaution to me to check it. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Mon, Jun 8, 2009 at 7:26 PM, SitG Admin <[email protected]>wrote: > If his is used on a web site it seems like a lot of trouble to go to. >> They are all ready on a bad site. >> > > If the site is bad, couldn't it also be sending the user's browser a script > to spoof referer? > > I suspect the major threat is from email links. In that case there would >> be no referrer and the OP could detect that. >> > > It could also detect people who are browsing through proxies (or modified > browsers) to strip the referer information for their privacy. > > "Hi, we've detected that your privacy settings prevent our software from > working. To continue using OpenID, please follow these instructions to > reduce your privacy on the internet." > > -Shade > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security >
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
