W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

RE: Accountability in AC4CSR

From: Close, Tyler J. <tyler.close@hp.com>
Date: Thu, 7 Feb 2008 23:15:11 +0000
To: Ian Hickson <ian@hixie.ch>
CC: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D074F8033B3@G6W0269.americas.hpqcorp.net> 


Ian Hickson wrote:
> > That's the new part.
>
> Referer-Root is not new. It's a subset of an existing header.

The content of Referer-Root is a subset of Referer; however, the conditions under which an honest client sends Referer-Root are different. Today, an honest, correctly implemented browser won't send a cross-domain POST of XML content. Consequently, it is not convincing for a dishonest client to use the Referer header to claim that a web page from another site originated such a request. The same is not true of the Referer header. The Referer header can be used to convincingly blame another site for a request.

--Tyler
Received on Thursday, 7 February 2008 23:16:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 February 2008 23:16:21 GMT