W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: confidentiality and the referer field

From: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
Date: Thu, 26 Jun 97 17:31:56 EDT
Message-Id: <199706262146.AA01019@reston.vmd.sterling.com>
To: http-wg@cuckoo.hpl.hp.com
Cc: Ross_Patterson@ns.reston.vmd.sterling.com
Hallam-Baker <hallam@ai.mit.edu> writes:

>When I originally wrote that spec bookmarks did not exist... People used to
>compile a personal home page with relevant info on it.

I use a browser (Charlotte, for VM/CMS systems) that does exactly that
to store its bookmarks.  Bookmark references come through with
"Referer: file:///HOTLIST.HTML.A1", which wouldn't make my company's
access control very happy but is still quite correct.

>Really the bug is that we never specified a URL space for client use.

FILE: comes sort of close, though, as it has an somewhat opaque meaning
if you can't read the user's filesystem.

>I don't think that supporting these peoples restrictions is a sufficient
>reason not to make the change...

Nor do I.  So long as REFERER is still a part of HTTP, and not
deprecated, I'm happy.  Our customers who use REFERER will either do so
or not depending on what makes sense for their business, and we will
continue to provide the capability for them to do so.

>        "Hints" imply that they can at best ensure SHOULD compliance and
>not a MUST. While the restriction could not be introduced as a MUST a
>future protocol revision might make it one.

Agreed, if a URL's response says "don't identify me as a REFERER",
we can't make it a MUST at this time, but we can require that any
client that understands the "don't tell on me" header field MUST comply.
And naturally, some sites will respond with "Sorry bub, I need to know
who told you about me."

Ross Patterson
Sterling Software, Inc.
VM Software Division
Received on Thursday, 26 June 1997 14:44:32 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:45 EDT