top | item 42812964 (no title) HughParry | 1 year ago Presumably just throwing a 403 if they have this referrer is ok and won't have a weird SEO impact or something? discuss order hn newest jsheard|1 year ago Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect? HughParry|1 year ago Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or... load replies (2) RajBhai|1 year ago Sounds like a security flaw that browsers honor this. load replies (1) thiago_fm|1 year ago No, and the earlier you do the better.Later it might have
jsheard|1 year ago Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect? HughParry|1 year ago Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or... load replies (2) RajBhai|1 year ago Sounds like a security flaw that browsers honor this. load replies (1)
HughParry|1 year ago Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or... load replies (2)
jsheard|1 year ago
HughParry|1 year ago
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...
RajBhai|1 year ago
thiago_fm|1 year ago
Later it might have