HTTP auth headers may be required to access the internet (e.g., to pass a request through a proxy server), so this should only apply to the Authorization request header, right? -Darin
On Jan 22, 2008 11:27 PM, Ian Hickson <[EMAIL PROTECTED]> wrote: > On Tue, 22 Jan 2008, dolphinling wrote: > > > > HTML5 doesn't say anything about whether a referer should be sent with > > the POST generated by <a ping>. There is a new attack vector <a ping> > > opens (as currently being discussed on mozilla.dev.platform) that would > > be blocked if the referer were not sent. > > Fixed. I also said to not include Cookies or HTTP auth headers. Legitimate > uses can always include whatever information they want in the ping="" > attribute's value itself. > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >