peterwat_private wrote: > Folks are missing the point on the Referer check that I suggested. I intentionally selected to not go down that path in my message as there are quite a bit of pitfalls with Referer, and it can easily be misunderstood allowing the application designer falsely think they have done a secure design using Referer. Also, as shown earlier in the thread, using Referer may render the service less useful for some people. There are people who filter out Referer from their HTTP traffic becuase there is too many bugs in user-agents showing Referer to things it should not expose externally. Referer is meant to be a statistics & diagnostics tool allowing you to find how your site is referenced, not a security measure. Because of this is is not a required property of HTTP that there is a Referer header when the user follows a link or submits a form. -- Henrik Nordstrom Squid HTTP proxy developer
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 13:39:50 PDT