UP.SDK Developer's Guide

[Cover] [Previous Section] [Next Section] [Index]

Current chapter: Security
Section 43 out of 61 total sections , Section 3 out of 5 sections in this chapter

Writing WML that minimizes security risks

The following WML attribute helps control security risks from malicious services:

Element  Attribute  Description 
go  
 sendreferer  

Specifies whether the UP.Browser should provide the URL of the current deck when requesting the specified URL. Setting sendreferer="true" causes the device to specify the deck URL in the http_referer request header. 

If you do not specify the attribute listed in the table above, the phone uses the default setting, which provides the highest degree of security. In general, the default setting provides the most security. However, there are some specific areas where you should be cautious. These are described in the following sections.


Checking the HTTP Referer header

If your service provides URLs that perform sensitive operations, it should check the HTTP Referer header (the HTTP_REFERER environment variable set by the Web server) to make sure that the requests it handles originate from friendly domains. The phone does not set the Referer header unless you specify sendreferer="true" in the <go> task that makes the request.

IMPORTANT     Always check the Referer header when handling requests for sensitive information or operations.

[Cover] [Previous Section] [Next Section] [Index]

Copyright © 2000, Phone.com Inc. All rights reserved.
Please send comments and questions to doc-comments@corp.phone.com.