[SR-Users] loose_route security
jh at tutpro.com
Sun Apr 17 13:31:05 CEST 2011
Iñaki Baz Castillo writes:
> Hi Juha, Referred-By header is not part of REFER specification but an
> extension (RFC 3892) and it's not mandatory:
> 2.1. Referrer Behavior
> A UA sending a REFER request (a referrer) MAY provide a Referred-By
> header field value in the request.
if refer does not contain referred-by header, then there is no other
choice than to refuse it. otherwise (unless you keep call state) you
don't have any chance to know who sent the refer and what rights the
sender might have.
More information about the sr-users