I don't think browser javascript can manipulate the Referrer header. So it seems like a reasonable precaution to me to check it.
I've checked it. Looks like there *was* an attack against versions of Firefox before 2.0.0.10, and the XML HTTP Request object might work in any case:
http://pseudo-flaw.net/content/web-browsers/firefox-referer-spoofing/ http://jibbering.com/2002/4/httprequest.html The relevant line of code for that second page is: xmlhttp.setRequestHeader('Accept','message/x-jl-formresult') I have not tested this.
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
