W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 10 Feb 2008 00:06:03 +0000 (UTC)
To: Julian Reschke <julian.reschke@gmx.de>
Cc: "public-html@w3.org" <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0802092346151.20115@hixie.dreamhostps.com>

On Sat, 9 Feb 2008, Julian Reschke wrote:
> 
> That makes it sound a bit like a working group decision was made, which 
> I think is not the case.

Sorry if it sounded like that. Indeed, no working group decision has been 
made. I don't expect a working group decision to be made on details like 
this -- otherwise we'd be making working group decisions for centuries. :-)


> [...] There was no consensus for that.
> 
> [...] Ok, we'll continue to disagree on that. But please do not claim 
> that there was some kind of consensus for it.

Indeed, there is likely never going to be consensus on anything. In fact, 
I'm not even attempting to get a majority opinion. I take into account all 
the feedback received, and weigh the merits of the various technical 
points made, as well as the needs of the people who have sent feedback and 
the needs of the various groups of users, authors, and implementors that I 
have learnt about, and come to what I perceive as the best technical 
solution that addresses as many of the needs as possible. (This then 
repeats, for as long as new information is found.)


> ...in which case you shouldn't use the Referer header:
> 
> "The Referer[sic] request-header field allows the client to specify, for 
> the server's benefit, the address (URI) of the resource from which the 
> Request-URI was obtained..." -- 
> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.36.p.1>
> 
> [...] That states that a bogus (sic) Referer header could be used to 
> filter ping requests. There are many other ways to do that, so I don't 
> accept it as a valid argument.
>
> [...] The [#PING] value is illegal until you make it legal. To make 
> that, you'll have to change the definition in HTTP/1.1.

Indeed, if we don't find any problems with #PING, then we'll have to 
request a change to the HTTP specification. However, it is premature to be 
looking at doing this already, since we only just came up with the idea.


> > As noted by others, no Referer header is treated as a local Referer 
> > header, which makes it susceptible to XSRF.
> 
> Not sure what a "local" referer header would be.
>
> I'm not sure which mail you are referring to (pointer, please), is it 
> <http://lists.w3.org/Archives/Public/public-html/2008Feb/0014.html>?

Yes, that describes the problem. By "local" referrer I mean one that 
specifies a page with the same origin as the target URI.


> > > Kornel wrote:
> > > > Another advantage of headers is that Apache could log pings without help
> > > > of any scripts or non-standard modules - LogFormat directive allows
> > > > logging of arbitrary headers.
> > >
> > > I'm not sure how this is relevant...
> > 
> > It seems extremely relevant, as it enables cheap server-side use 
> > instead of requiring heavy lifting for the author.
> 
> For the author?

Indeed.


> It seems the additional work would be for the implementor of the web 
> server, implementing a module for ping tracking. I'm not sure why that's 
> considered a major issue.

There's no additional work required. As Kornel explained in the text 
quoted above, one can already use Apache for this.


> The risk is that recipients that expect a compliant Referer header will 
> break in some way.

Can you provide concrete examples of such servers?


> > > Could you please state what problem you are trying to solve, and why 
> > > it needs to involve the Referer header?
> > 
> > I believe the problem has been stated a number of times in this thread 
> > already. I refer you to dolphinling's original e-mail.
> 
> Pointer, please.

http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-January/013637.html


> My concern is that you're raking ease of implementation higher than 
> consistency of specifications.

Yes, absolutely. Indeed it's one of our principles:

   http://www.w3.org/TR/html-design-principles/#priority-of-constituencies

Interoperability and compatibility with existing deployed servers is 
orders of magnitude more important to me than pedantic compliance to other 
specifications. Specifications exist to help move civilisation forward, 
not to provide arbitrary restrictions on progress. When a specification 
gets in the way of improving the Web, it should be changed or displaced.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 10 February 2008 00:06:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:52 UTC