|
|
|
|
|
|
by tlrobinson
5898 days ago
|
|
|
Checking the referrer (errr, "referer") header seems obvious to me, I wonder why they're not doing it. Sure, the referrer can be spoofed if you can set arbitrary headers, but you can't set headers on iframe requests anyway (and even XHR explicitly disallows setting Referer) |
|
|