Darin Fisher wrote: > Keep in mind that there is also the problem that the POST request may > have undesirable side-effects. The web app probably needs a request > header from the browser to tell it what domain is sending it data. The > Referer header is not sufficient since the browser will not send a HTTPS > referrer-URI over plaintext.
And Referer, of course, is optional. And having something which is compulsory might raise privacy issues. > We need to restrict READs as well as WRITEs when it comes to XSS ;-) Good point; I'd forgotten that. Gerv