WebApp Sec: Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

[Florian Weimer <fw () deneb enyo de>]

> Not such a good idea.  The referer value is no more trustworthy than
> anything else supplied by the client.
Can the Refer: header be changed using JavaScript, on the common
browsers?  If not, we can use it (as long as it's available) because
it provides the attestation we need.

The trouble with the Referer: header is that it's often filtered for
privacy reasons, and not available in some case (as mentioned in the
paper, this happens when an HTML message is displayed by a mail user
agent).