- From: Daniel Stenberg <daniel@haxx.se>
- Date: Fri, 23 Jan 2009 09:36:02 +0100 (CET)
- To: ietf-http-wg@w3.org
On Thu, 22 Jan 2009, Adam Barth wrote: > This is not an assumption. In April 2008, measured how often various > headers were suppressed for 283,945 browsers who viewed an advertisement we > placed with a minor ad network. We observed that the Referer header was > suppressed for approximately 3% of requests whereas the Origin header was > only suppressed 0.029-0.047% of requests (95% confidence). Surely this isn't really surprising. Referer is a standardized and established header that has been in use for a long time and proxy admins/products/companies have adapted and reacted. Origin is a newly suggested header that certainly none of the admins/products/companies have bothered about since it isn't standardized nor in actual use and thus they don't block it - yet. Further, the argument: > the employee will not leak any information in the Origin header because it > is not sent for GET requests. ... will thus break when that same intranet has a 'search the with loogle' field that sends a POST to the external site? -- / daniel.haxx.se
Received on Friday, 23 January 2009 08:46:29 UTC