On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote: > would it be safe to check > that if a referer is present, it contains the sites' domain name, Yes. > but if it > isn't, it most likely wouldn't have been referenced in an <img> tag or > submitted via JavaScript? You mean it's safe/legitimate? No. Client-pull META tags generate requests without Referers, as I've said a couple times in this thread, and in previous Bugtraq discussions, too. :-) If you don't see the Referer, you can't trust the request. Your best bet is to lock out users who won't pass Referers. Or at least, when you initialize a user session, note if they seem to be passing Referer values. If they are, then you should certainly reject any later request that seems to be theirs, but lacks a Referer header. Note that in some cases, MSIE won't send a Referer if the TARGET of a link is a different window, or that used to be the case. This is messy. -Peter
This archive was generated by hypermail 2b30 : Sat Jun 16 2001 - 12:17:40 PDT