Re: confidentiality and the referer field

Matthew Rubenstein <ruby@name.net> writes:

>       One client's frivolous reason is another server's special case. It's _my_
>server, why can't I restrict access based on what enabled the request?

Indeed, the access-control specification in our VM:Webserver product
allows the owner of an object to grant or deny access to it based in
part on the contents of the REFERER header field.  Some of our customers
like to use it to deny links from their competitors sites, on the
assumption that the link says something like:

   Click here to see a <A HREF="http://site/x/y">really stupid</A>
   alternative to our wonderful, cheaper product!  Then come back
   and click here to <A HREF="buyit.cgi">order ours!</A>

I have no objection to an HTML file saying (by a new tag or a new HTTP
header field) that links from it should be unreferred, but don't
deprecate access control based on REFERER - it's a useful tool for lots
of us.

Ross Patterson
Sterling Software, Inc.
VM Software Division

Received on Thursday, 26 June 1997 14:34:03 UTC