W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 30 Jan 2009 15:16:23 -0800
Message-Id: <F99B276A-6D64-4C6C-B8B4-EEA59AF6F58A@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, Bjoern Hoehrmann <derhoermi@gmx.net>, ietf-http-wg@w3.org
To: Adam Barth <w3c@adambarth.com>

On Jan 30, 2009, at 2:36 PM, Adam Barth wrote:
> On Fri, Jan 30, 2009 at 2:30 PM, Mark Nottingham <mnot@mnot.net>  
> wrote:
>>> As Thomas says, there are lots of ways to do this, mostly by design.
> [...]
>> OK, so can't we get incremental improvement by specifying what  
>> Referer
>> should be in these situations, and having browsers implement that?
> Yes.  That's an interesting idea.  We could let user agents send the
> value "null" in the Referer header and then require user agents to
> always send a Referer header (possibly with the value "null").  This
> would let servers distinguish between a header suppressed by the
> attacker (value is null) and suppressed by the network (header is
> gone) in the same way the Origin header proposes.

I was thinking something like

    Referer: data:hidden
    Referer: about:bookmarks
    Referer: https:

and others where appropriate.

Received on Friday, 30 January 2009 23:16:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:48 UTC