W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: Demographics

From: Kris Benson <doctorkb@synaptic.net>
Date: Tue, 9 Jul 1996 18:27:26 -0700 (PDT)
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.BSD.3.91.960709180914.6562B-100000@vortex.netbistro.com>

[This as Cc'd to the list, as the original was sent to the list, as well
as the fact that it seems a relevant thing to discuss here.  I'm including
this message at the top, just to say "I hope this is appropriate, yet I'm
not sure."]

On Tue, 9 Jul 1996, Paul Leach wrote:

> Jeff Mogul and I valunteered to write up a draft on simple demographics
> -- not the be-all and end-all, but something that would be enough to get
> an appreciable number of content providers to stop sending cache-busting
> responses.

If you need any help, let me know.

> Suppose we augmented to semantics of the Referer header so that, if it
> is used as a _response_ header (it is currently just a request header),
> it means that the server requests that a referer header is sent on any
> link followed from this page. If the user wishes to browse without
> leaving any trail of where they came from, they could override this, of
> course -- but I'm thinking that we would recommend AGAINST this, for the
> following reason:

Good point.  The referrer header should be able to be requested to be 
sent to the next page, but _only_ if the server that the link is on says 
to go for it.  If the server does not imply it, it should be assumed no.

But also, it may be worthwhile to have the Referrer header sent if the 
page the browser is going to is on the same server as the link to it.

i.e. <URL: http://www.megacorp.com/whatever.html>has a link to <URL:
http://www.megacorp.com/something.html> this should be highly reccommended
that the browser send the Referrer header to the second one, stating that 
it came from the first document.  As they are on the same host, there 
isn't really any large security issue.

Another idea would be for the first server to send a 'Trusted hosts'
header, that would imply that any hosts specified there are considered
trusted and the referrer should be sent to them.  This way, if it is a 
private server, they can allow referrer header to be sent to their sites 
(such as <URL: http://www.megacorp.com> has a private site for their 
employees, too at <URL: http://employees-only.megacorp.com/private/> the 
employees only place can include the former (public) WWW server as a 
'Trusted Host' so that they can determine which hits came from inside 
their company.  Now, this also brings up an additional point: do we allow 
the user to specify Untrusted hosts?

> What I'm looking for are comments on the privacy concerns with such an
> approach.

There would probably be a great deal of concern over a browser sending 
the headers without asking the user, much like the fuss over Netscape 
Navigator (tm) sending the 'From: ' header with the configured e-mail 
address in one of their Beta versions.  While referrer doesn't seem to be 
as large of a security risk or privacy issue, it could cause some 
nervousness among users and companies, if they were relying on security 
by obscurity (not telling others about a private site, rather than 
protecting it)

About the only way to avoid this is to make sure that the spec says that 
this should default to 'none' if the 'trusted hosts' isn't there, or the 
site with the link doesn't say that it wants Referrer sent.

If applicable, the spec should also make reference to the User having 
control as well.

--
Kris "The Doctor" Benson <kris@hackers-unlimited.com>
President, Hackers Unlimited
Personal HomePage: http://www.hackers-unlimited.com/doctorkb/
Hackers Unlimited: http://www.hackers-unlimited.com/
JAPH, HTMLer, Webmaster, UNIX guy for hire...
#####  May your beard and your .sig grow longer with wisdom  #####
Received on Tuesday, 9 July 1996 18:38:23 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:04 EDT