W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: confidentiality and the referer field

From: Matthew Rubenstein <ruby@name.net>
Date: Thu, 26 Jun 1997 16:35:51 -0400
Message-Id: <>
To: Hallam-Baker <hallam@ai.mit.edu>
Cc: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>, http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/3577
At 04:29 PM 6/26/97 -0400, Hallam-Baker wrote:
>> Assuming you're not suggesting removing the REFERER header field
>> altogether, that's not true.  Sites would simply need to decide whether
>> a request without a REFERER was acceptable or not, and allow or deny
>> the request accordingly.
>OK "restrict the ability".
>There are already many situations where a browser can't send a referer
>field, such as when the link is a bookmark.

	The lack of a REFERER value there is effectively a spec omission that
effects an overload of a null REFERER to indicate several conditions,
including key entry, "bookmarks" and client bug.

> As clients allow the user to
>disable the referer field sites will be less able to refuse requests
>for frivolous reasons.

	One client's frivolous reason is another server's special case. It's _my_
server, why can't I restrict access based on what enabled the request?

>I was simply flagging a secondary consequence of the change.
>	Phill

Matthew Rubenstein                    North American Media Engines
Toronto, Ontario   *finger matt for public key*      (416)943-1010

			    Chess is for computers.
Received on Thursday, 26 June 1997 13:42:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:20 UTC