HTTP_REFERER is a good defence, but can not be the sole defence, because certain systems remove the referrer from requests (yes, I'm looking at you, Norton Internet Security).
GET should never do anything but fetch content for viewing. http://example.com/script?do=delete&what=all_my_stuff is going to be bad news.
POST should always be used for data-altering actions, but as forms can be forged and auto-submitted using javascript, this should not be relied upon as the sole defence either.
If you avoid auto-submission of forms by disabling javascript, you're still not safe from form forgery. Consider this:
Am I alone in using blank media for purposes other than copying audio CDs? I object to paying Eminem for the benefit of backing up a directory of photos...
This is all very laudible, but on several occasions I've had Dell send out a pair of screws in a padded A4 size box, and a two page manual in a gigantic cardboard monstrosity.
They really need to deal with their multi-box insanity of power cords in separate boxes, manuals in separate boxes, screws in separate boxes etc. in addition to this initiative.
Register
6 posts • joined Wednesday 9th May 2007 14:29 GMT
Can't rely soley on HTTP_REFERER
HTTP_REFERER is a good defence, but can not be the sole defence, because certain systems remove the referrer from requests (yes, I'm looking at you, Norton Internet Security).
GET should never do anything but fetch content for viewing. http://example.com/script?do=delete&what=all_my_stuff is going to be bad news.
POST should always be used for data-altering actions, but as forms can be forged and auto-submitted using javascript, this should not be relied upon as the sole defence either.
If you avoid auto-submission of forms by disabling javascript, you're still not safe from form forgery. Consider this:
<form action="bank.com" method="post">
<input type="hidden" name="do" value="transfer" />
<input type="hidden" name="account" value="12345678" />
<input type="hidden" name="value" value="5000.00" />
Rate this image:
<input type="radio" name="rating" value="3" />Great
<input type="radio" name="rating" value="2" />Mediocre
<input type="radio" name="rating" value="1" />Terrible
<input type="submit" value="Go" />
The only secure defence right now is the security token.
Regulator?
Isn't the role of a regulator to work in the interests of the public and ensure that this sort of crap doesn't happen?
8 bit?
The Amiga 500 (the first of the keyboard-style Amigas) was 16 bit, while the successor, the Amiga 1200 was a 32 bit machine.
If we're talking about a keyboard-style computer from Commodore, perhaps the article is in fact referring to the Commodore 64?
Incredible data ineptitude
And the government wonders why some of us have such strong objections to their lunatic ID card scheme...
The usage assumption is flawed
Am I alone in using blank media for purposes other than copying audio CDs? I object to paying Eminem for the benefit of backing up a directory of photos...
Yeah but...
This is all very laudible, but on several occasions I've had Dell send out a pair of screws in a padded A4 size box, and a two page manual in a gigantic cardboard monstrosity.
They really need to deal with their multi-box insanity of power cords in separate boxes, manuals in separate boxes, screws in separate boxes etc. in addition to this initiative.