Re: The Dangers of Allowing Users to Post Images

[Henrik Nordstrom <hno () hem passagen se>]

peterw () usa net wrote:

> Folks are missing the point on the Referer check that I suggested.

I intentionally selected to not go down that path in my message as there
are quite a bit of pitfalls with Referer, and it can easily be
misunderstood allowing the application designer falsely think they have
done a secure design using Referer.

Also, as shown earlier in the thread, using Referer may render the
service less useful for some people. There are people who filter out
Referer from their HTTP traffic becuase there is too many bugs in
user-agents showing Referer to things it should not expose externally.

Referer is meant to be a statistics & diagnostics tool allowing you to
find how your site is referenced, not a security measure. Because of
this is is not a required property of HTTP that there is a Referer
header when the user follows a link or submits a form.

--
Henrik Nordstrom
Squid HTTP proxy developer