W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: [whatwg] Referer header sent with <a ping>?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 12 Feb 2008 12:30:06 +0100
Message-ID: <47B1833E.6010208@gmx.de>
To: Ian Hickson <ian@hixie.ch>
CC: "public-html@w3.org" <public-html@w3.org>

Ian Hickson wrote:
>> So you're saying that recipients treat the absence of a Referer header 
>> as indication the offering page was from the same origin?
> 
> More or less. What's really going on is that many pages treat a referer 
> from an unexpected domain as a sign that a XSRF is being attempted, but 
> treat the lack of referer or a referer from the same domain as being ok. 
> Lack of referer is usually treated this way in order to handle users with 
> software configured to strip all referers. (Many sites use a more secure 
> variant where no referrer is treated as a remote site referrer, but this 
> means the sites are unusable without referrer headers.)

I think what you're really saying is that these pages treat the absence 
of a Referer header as indication that Referer information is missing, 
just like RFC2616 says.

In absence of this information, they then behave as if the request was 
local, but that's not really the same thing as what you said. IMHO.

>> That would IMHO be contrary to what RFC2616 defines (the absence of the 
>> Referer header means that the Referrer either doesn't have a URI, or the 
>> client doesn't want to reveal it).
> 
> I don't think this is of much concern to many Web authors.

That may be true, but you have not convinced me that they indeed think 
that way.

>> Pointers, please.
> 
> I have no idea how to demonstrate this.

Aha.

>> How is the author affected?
> 
> I assume we are talking at cross-purposes here. The author would be the 
> one setting up the logging of the pings. Thus anything that makes that 
> affects how to log pings clearly affects the author.

So we're talking about somebody setting up ping tracking. Of course the 
way pings work affects the way how a server needs to be configured to 
count them. But it will need to be configured in *some* way anyway. So I 
really don't see how the mechanism is relevant, given the fact that code 
will need to be implemented for that purpose anyway.

> ...

BR, Julian
Received on Tuesday, 12 February 2008 11:30:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:12 GMT