W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 30 Jan 2009 14:36:07 -0800
Message-ID: <7789133a0901301436q33447cd4i13ff0b615ad05617@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, ietf-http-wg@w3.org

On Fri, Jan 30, 2009 at 2:30 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> As Thomas says, there are lots of ways to do this, mostly by design.

[...]

> OK, so can't we get incremental improvement by specifying what Referer
> should be in these situations, and having browsers implement that?

Yes.  That's an interesting idea.  We could let user agents send the
value "null" in the Referer header and then require user agents to
always send a Referer header (possibly with the value "null").  This
would let servers distinguish between a header suppressed by the
attacker (value is null) and suppressed by the network (header is
gone) in the same way the Origin header proposes.

Adam
Received on Friday, 30 January 2009 22:36:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT