W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: GET and referer security considerations

From: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
Date: Wed, 2 Jul 97 09:05:31 EDT
Message-Id: <199707021309.AA26810@reston.vmd.sterling.com>
To: http-wg@cuckoo.hpl.hp.com
Larry Masinter <masinter@parc.xerox.com> writes:

>Why don't I ask for volunteers to draft a sentence or two on the
>general issue of security/privacy around 'Referer:' and when it
>should and shouldn't be sent. If the advice is "Never, unless blah".

Unless I missed something, I didn't observe a concensus that REFERER
should be deprecated.  It serves a very useful purpose for many sites,
and isn't overly nasty in terms of privacy - it's a one-step click trail.
Of course, if all the clicks are within one site, then a path can
be developed from the string of REFERERs, but if you've got the log data
you can do that anyway.  Most log analysis tools attempt to do that
already, with or without REFERER data in the log.

Phill Hallam-Baker started this with a vague note that appeared to
suggest server-to-client advice on whether or not REFERERs should be
generated from the served object.  Rather than draft some language
deprecating REFERER, let's ask Phill to explain in more detail what he
has in mind, and discuss the proposal at that point.

Ross Patterson
Sterling Software, Inc.
VM Software Division
Received on Wednesday, 2 July 1997 06:08:01 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:45 EDT