W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 22 Jan 2009 16:41:37 -0800
Message-Id: <D68C2B5C-92B4-4C24-9261-D1233E4164E2@gbiv.com>
Cc: Larry Masinter <LMM@acm.org>, <ietf-http-wg@w3.org>, "'Lisa Dusseault'" <ldusseault@commerce.net>
To: Mark Nottingham <mnot@mnot.net>

On Jan 22, 2009, at 4:20 PM, Mark Nottingham wrote:
> On 23/01/2009, at 10:07 AM, Roy T. Fielding wrote:
>>
>> 4) Even if such a feature becomes necessary, it can be far
>> easier accomplished by changing the operational behavior of
>> browsers such that they always send Referer and simply reduce
>> the value of that field (similar to that specified for Origin)
>> in those cases where it is currently not set at all.  No change
>> would then be needed to HTTP and existing agents that already
>> send Referer for these cases would already comply.
>
> I don't agree. Unless it's very well-specified and implemented,  
> this will have the effect of dumbing down Referer, reducing its  
> utility for other purposes.

I don't understand -- the only case that would be affected
is the one wherein no Referer is sent today.  It is easy
to distinguish that case from other Referer values because it
excludes anything after the URI authority (normal "http" Referer
values always have a path portion of at least "/").  Hence,
the change is both HTTP-compliant and detectable by origin
servers (if they cared, which I don't expect they would).

....Roy
Received on Friday, 23 January 2009 00:42:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT