httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: documentation problem
Date Tue, 06 Nov 2001 20:34:19 GMT


> -----Original Message-----
> From: ian [mailto:ian@monster.simplecom.net]

> which says, if it's not blank, and doesn't come from ...quux-corp..., then
> forbid access. However, one could have a blank referrer and gain access to
> *.gif. It makes no mention of what to do if the referrer _is_ blank. TO
> correct this problem, I made the following modification to line 2:

In addition, I should point out that you shouldn't be using this for real
security.  It is just as easy for the client to fake
http://www.quux-corp.de/~quux/ in the browser as it is for him to fake a
blank browser.  This technique should only be used to stop people from
inlining images.  In that case, the person doing the inlining does not have
control over the browsers, since they are the visitors to his site.
Therefore you need only block the basic cases.  If you try to block every
single case, you will wind up with a site that does not work for many
people, plus you won't really have security anyway.

Joshua.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message