On 4/23/2012 4:41 AM, haman...@t-online.de wrote:
Now thinking about the bank situation: the bank's webserver would see a request from the resizing service, but it is up to the resizer to behave like a real browser, or a proper http proxy
That's basically what I'm thinking. If the service fails to send a referrer at all, you can generally serve images reasonably safely. Email phishes can still use images, but given how few email clients actually load HTTP images anyway, it's a minor part of the problem.
It's only when there's an incorrect referrer that you can assume the request isn't legitimate and you should return something different. Whether you do this immediately or have someone review before making the decision is a business decision, for banks that can't confine themselves to a single domain then a manual review might be needed, but such is life.
-- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
