Historically it was possible to set some/all HTTP request headers via client side scripting (this was demonstrated with Flash several times, e.g. http://www.securityfocus.com/archive/1/441014). Referer was thus spoofed, rendering Referer-based defense methods useless. Obviously this was/is an implementation bug, but perhaps one that could be avoided had the HTTP standard mandated an explicit list of disallowed-to-set-from-client-side headers. Would it thus be possible to address such issue with the current proposal? On Sat, Jan 31, 2009 at 1:19 AM, Adam Barth <w3c@adambarth.com> wrote: > > On Fri, Jan 30, 2009 at 3:16 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >> I was thinking something like >> >> Referer: data:hidden >> Referer: about:bookmarks >> Referer: https: >> >> and others where appropriate. > > There is some value in having a catch-all "OMG, I can't figure it out" > value. Keep in mind that you want to have a branch somewhere deep in > the bowels of the HTTP stack that enforces this requirement, and that > code might not have enough context to figure out that this was the > user clicking on a bookmark. > > Adam > >Received on Saturday, 31 January 2009 18:05:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT