- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 1 Aug 2007 00:24:06 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, Web APIs WG <public-webapi@w3.org>
On Thu, 26 Jul 2007, Jonas Sicking wrote: > > > > Isn't Referer disabled by some third-party software now and then? Such > > as antivirus software? Another reason is probably that Referer-Root > > contains the exact format needed for the access check. We could use > > that in the access-control document probably. > > This seems like a loosing battle that I don't see a reason to fight. If > the user (by installing software or through corporate policies) disables > the Referer header, why should we try to circumvent them? That seems > just likely to piss them off and then add Referer-Root to their blocking > list. Referer is blocked for privacy reasons (e.g. including personal data in the URL). Referer-Root is supposed to be safe from this, by only including host/domain information. > If the sites want to use the Referer header and it has been blocked the > site can simply deny the request. Non-idea for the end-user, but by > their own choice. Referer is also blocked when going from https:// to http://, for the same reasons as above, and we want Referer-Root available then too. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 1 August 2007 00:24:20 UTC