[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Mon Apr 17 15:51:50 GMT 2006


On 4/17/06, Brian Layman <Brian at thecodecave.com> wrote:
> You're right that I might be missing something here, which is why I asked
> the question.
>
> If I am working in http://www.somewpblog.com/wp-admin/post.php and click on
> a link in the preview post, I don't know what my referrer would show as...
>
> OK, I tested this by creating a post that was simply a link to
> "/wp-admin/post.php?action=delete&post=101" and it comes up with "Sorry, you
> need to enable sending referrers for this feature to work.".  So apparently
> this is not a concern and I still don't know why people view the preview
> feature as an issue.

That's right, iframes send referers as the src of the iframe from
which the link was clicked, not the hosting page, as a security
feature.

--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list