W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

RE: Referer URI MUST NOT include a fragment

From: Larry Masinter <masinter@adobe.com>
Date: Wed, 25 Feb 2009 16:05:48 -0800
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <8B62A039C620904E92F1233570534C9B0118C86E24D5@nambx04.corp.adobe.com>
I think the idea of allowing fragment identifiers in
Referer is interesting, and I'm not sure what it would
break. It couldn't be mandated. I think the privacy
security concerns about Referer remain, and perhaps
the restriction was just a way of minimizing the
exposure?

The important limits on Referer in RFC 2616
are in the "Security Considerations" section
http://tools.ietf.org/html/rfc2616#section-15.1.2

At least a while ago, it was looking like the
"Origin" header proposal might instead be subsumed
by an extension to "Referer" instead, which seemed
like a positive direction. I don't think allowing
fragment identifiers in Referer for other purposes
would interfere with that.

Larry
-- 
http://larry.masinter.net
Received on Thursday, 26 February 2009 00:08:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT