W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: XMLHttpRequest Object feedback

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 6 Apr 2006 14:49:51 -0700
Message-Id: <F48C94E3-0C0E-4965-94EC-385ED11D4C4A@mnot.net>
To: public-webapi@w3.org

> >> The Referer header MUST be set, and MUST NOT be overridable; once
> >> cross-site XHR is available, sites will want to use it for
> >> security, logging, etc.
> >
> > I don't agree with this, a user agent MUST be allowed to anonymise
> > browsing, tracking users is not a suitable reason for changing this
> > behaviour.

Referer isn't generally used for user tracking; perhaps you're  
thinking of cookies?

I agree that end users should be allowed to "turn Referer off", as is  
the option in some browsers today, but allowing code to set the value  
of the Referer is a very different thing, and a significant  
divergence from current practice.

Many, many sites use the Referer as a first-level defense against  

For example, site A hosts images (whether they be weather maps or  
porn) for use in site A's content. If site B directly links to those  
images, it places a burden on site A's servers, which they may or may  
not want to accept. Site A can control this by examining the Referer  
header; if it contains a URI from site B, they can choose not to  
serve it. If the browser is configured not to send any referers, it  
can make a separate choice as to whether or not to allow the browser  
to view the image.

This works because site B has no control over the Referer that site A  
sends. It does not work perfectly (you have to account for browsers  
that don't send referer), but it works well enough, because third  
parties can't control how your browser sends Referer headers. If you  
give programmatic control of the Referer to site B, you allow them to  
bypass such mechanisms.

Additionally, site A might want to track referers for auditing, etc.;  
if Referer isn't set by default, they'll probably require people to  
use cookies, or different URLs for the same content -- neither being  
very Web-friendly.

Most browsers today (the only exception I've seen yet is Mozilla)  
send Referer from XMLHttpRequest; by explicitly disallowing it from  
being automatically set, you're diverging from the current model for  
XHR, as well as diverging from the model for normal browser operation.

So, I'm fine with something like "The Referer header SHOULD be set,  
and MUST NOT be overridable"; if the user wants to configure their  
browser not to send the Referer header, they should certainly be  
allowed to. However, the developer (site B in the example above) must  
not be given control over it in any condition.


Mark Nottingham     http://www.mnot.net/
Received on Thursday, 6 April 2006 21:49:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:20 UTC