mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: Henrik Nordstrom <hno () hem passagen se>
Date: Tue, 19 Jun 2001 15:32:01 +0200
Sverre H. Huseby wrote:
There are, of course, no reason to add a ticket to off-site links.
The tickets are only understandable by our web application.
Tickets should only be tied to actions that have side effects on our
server (for which GET may be Wrong Thing anyway). If this principle
is followed, I can't see how anyone would be able to pick up Referers
containing tickets without having access to our server. Please
enlighten me if I've misunderstood anything here.
If the your page for some reasons references an external object (page,
image or whatever) then this external object will get the refeferer
header indicating the full URL of your page. If this URL (the URL of
your page) includes the users ticket then the ticket is exposed to that
From this simple reason, my the guideline is to never include tickets in
URL's. Always pass them around using (hidden) form fields sent via POST.
Squid HTTP proxy developer
RE: The Dangers of Allowing Users to Post Images Richard M. Smith (Jun 15)
Re: The Dangers of Allowing Users to Post Images Ben Gollmer (Jun 15)
Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images) Peter W (Jun 15)
Re: The Dangers of Allowing Users to Post Images David Dreezer (Jun 15)
Re: The Dangers of Allowing Users to Post Images Chris Lambert (Jun 15)