Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
tptacek
17y ago
0 comments
Save
Share
Referer is totally insecure.
If all it is is votes, I say the right solution is "let it go".
0 comments
2 comments · 1 top-level
top
newest
oldest
tlrobinson
17y ago
· 1 in thread
AFAIK, checking the Referer header actually works for preventing CSRF because you can't modify it for the types of requests that work cross domain, i.e. loading <img>, <script>, etc tags, or posting forms.
tptacek
OP
17y ago
Your assumption here isn't crazy, but it depends on the browser, and you shouldn't rely on it.
j
/
k
navigate · click thread line to collapse
