W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Sending Referer [#144]

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Jun 2009 16:41:18 -0700
Message-ID: <7789133a0906121641n374ba3au6f47979949988f3b@mail.gmail.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jun 12, 2009 at 4:10 PM, Henrik
Nordstrom<henrik@henriknordstrom.net> wrote:
> tis 2009-06-02 klockan 01:50 +1000 skrev Mark Nottingham:
>> However, in previous discussions, Adam et al indicated that it would
>> be interesting to require that Referer always be sent, by minting a
>> new value (e.g., 'null', although it will have to be something else,
>> since "null" is a valid partial-URI) to indicate when a Referer is not
>> available.
>
> Not having that discussion in front of me, but why would one want this?
>
> A non-existing Referer header means that the user agent either don't
> have a referer URI, or do not want to tell what it was. How is sending a
> "null" Referer header different from this?

We've already covered this in previous discussion, but the high level
reason is so severs can distinguish the following two cases:

1) The Referer header was striped from the request in transit.
2) The User Agent did not attach a Referer because on particular URI
was appropriate.

Being unable to distinguish these cases prevent servers from being
able to use the Referer header to mitigate CSRF vulnerabilities.  For
more details, please see the archives.

Adam
Received on Friday, 12 June 2009 23:42:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:03 GMT