W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: confidentiality and the referer field

From: Matthew Rubenstein <ruby@name.net>
Date: Thu, 26 Jun 1997 16:35:51 -0400
Message-Id: <3.0.1.32.19970626163551.00937140@name.net>
To: Hallam-Baker <hallam@ai.mit.edu>
Cc: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>, http-wg@cuckoo.hpl.hp.com
At 04:29 PM 6/26/97 -0400, Hallam-Baker wrote:
>
>> Assuming you're not suggesting removing the REFERER header field
>> altogether, that's not true.  Sites would simply need to decide whether
>> a request without a REFERER was acceptable or not, and allow or deny
>> the request accordingly.
>
>OK "restrict the ability".
>
>There are already many situations where a browser can't send a referer
>field, such as when the link is a bookmark.

	The lack of a REFERER value there is effectively a spec omission that
effects an overload of a null REFERER to indicate several conditions,
including key entry, "bookmarks" and client bug.


> As clients allow the user to
>disable the referer field sites will be less able to refuse requests
>for frivolous reasons.

	One client's frivolous reason is another server's special case. It's _my_
server, why can't I restrict access based on what enabled the request?


>I was simply flagging a secondary consequence of the change.
>
>
>	Phill

--
Matthew Rubenstein                    North American Media Engines
Toronto, Ontario   *finger matt for public key*      (416)943-1010

			    Chess is for computers.
Received on Thursday, 26 June 1997 13:42:24 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:45 EDT