[wp-hackers] Enable Sending Referrers

Matt Mullenweg m at mullenweg.com
Mon Aug 15 17:44:31 GMT 2005

Matthew Thomas wrote:
> Or use POST for admin commands, which would be unspoofable from comment 
> links no matter where you were reading them, and which would work 
> whether your browser sent Referers or not. 

POST is spoofable with JS, we've been over this already. Filtering 
comments makes sense, but isn't really protection as the links could be 
on other domains as well. The current behavior is the best compromise of 
security and convenience and has been audited to protect against all 
known XSS problems.

Matt Mullenweg
http://photomatt.net  | http://wordpress.org
http://pingomatic.com | http://cnet.com

More information about the wp-hackers mailing list