[wp-hackers] Enable Sending Referrers
Matt Mullenweg
m at mullenweg.com
Mon Aug 15 17:44:31 GMT 2005
Matthew Thomas wrote:
> Or use POST for admin commands, which would be unspoofable from comment
> links no matter where you were reading them, and which would work
> whether your browser sent Referers or not.
POST is spoofable with JS, we've been over this already. Filtering
comments makes sense, but isn't really protection as the links could be
on other domains as well. The current behavior is the best compromise of
security and convenience and has been audited to protect against all
known XSS problems.
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://pingomatic.com | http://cnet.com
More information about the wp-hackers
mailing list