W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adrien de Croy <adrien@qbik.com>
Date: Fri, 23 Jan 2009 13:51:06 +1300
Message-ID: <4979147A.5030402@qbik.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, 'Lisa Dusseault' <ldusseault@commerce.net>


Absense of a Referer field is significant and useful - take a look at 
google analytics for a compelling reason why.

It allows a site to determine if it was hit by way of linking from 
another site, or presume that the human typed directly the URI into the 
browser.

I don't see why servers can't protect themselves without changing 
Referer though.

Adrien


Roy T. Fielding wrote:
>
> On Jan 22, 2009, at 4:20 PM, Mark Nottingham wrote:
>> On 23/01/2009, at 10:07 AM, Roy T. Fielding wrote:
>>>
>>> 4) Even if such a feature becomes necessary, it can be far
>>> easier accomplished by changing the operational behavior of
>>> browsers such that they always send Referer and simply reduce
>>> the value of that field (similar to that specified for Origin)
>>> in those cases where it is currently not set at all.  No change
>>> would then be needed to HTTP and existing agents that already
>>> send Referer for these cases would already comply.
>>
>> I don't agree. Unless it's very well-specified and implemented, this 
>> will have the effect of dumbing down Referer, reducing its utility 
>> for other purposes.
>
> I don't understand -- the only case that would be affected
> is the one wherein no Referer is sent today.  It is easy
> to distinguish that case from other Referer values because it
> excludes anything after the URI authority (normal "http" Referer
> values always have a path portion of at least "/").  Hence,
> the change is both HTTP-compliant and detectable by origin
> servers (if they cared, which I don't expect they would).
>
> ....Roy
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Friday, 23 January 2009 00:49:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT