Return CGI Library
Some time ago we noticed that people 'out on the web' were making use of some of our gadgets. While not a "Good Thing" it was decided
that the extra complexity required to try to prevent this wasn't worth the small amount of system resources we might save.
This changed when we saw a client's competitor 'borrow' a page and continue to make use of the BareMetal gadget that it pointed to.
The thief was taking advantage of the client's priveledges and development time as well as our equipment.
By making use of some of the extra information that the new browsers send to the server, it is simple to detect when an access comes
from a 'foreign' web-site.
The easiest way to avoid accidently triggering this alarm is to avoid putting a host parameter in the action statement of your
<form> tag.
For example:
<form action="http://baremetal.com/cgi-bin/mail2" method="post" >
might trigger an alert if the page was called from a different virtual server. A call such as:
<form action="/cgi-bin/mail2" method="post">
Is always going to go to the same server that the page was loaded from.
Not all the gadgets have this security check built into them, but you can expect most of the new ones to include it :-).
As a further note, it's not possible to detect all references from off site... as some browsers don't send any information about the
refering page, but the current system should stop with a security alert for about 70% of the browsers in use.
|