W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: XMLHttpRequest Object feedback

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 09 Apr 2006 06:22:35 -0700
Message-ID: <44390A9B.1030906@sicking.cc>
To: Mark Nottingham <mnot@yahoo-inc.com>
Cc: public-webapi@w3.org

>> I don't want to specifically disallow it, I don't want it to be  MUST, 
>> nor do
>> I see a particular reason for it not to be overridable - a browser  
>> may want
>> to not allow it to be overridable  without specific user agreement  
>> outside
>> of the same domain for such reasons, but I don't see the reason for
>> disallowing it from overriding within the same domain - given that  
>> any cross
>> domain is with the explicit agreement of the user in all  implementations
>> today, I don't see the problem with any of them setting it, indeed  I 
>> have
>> many use cases for it.
> 
> OK. I've made my case and have heard from some individuals; it seems  
> like there's agreement that automatically setting Referer shouldn't  be 
> disallowed, but disagreement about whether it should be  overridable. 
> I'd like to hear the WG's opinion on the matter.

I'm pretty sure that allowing referer to be overridden is a security 
issue (one that should be mentioned in the security section if nothing 
else).

Shopping sites may check that the referer is a product page when a 
request is made to add an item to the shopping cart. And the check-out 
page may perform a similar check before charging the creditcard.

This would probably be helped by restricting to same-origin policies. 
But I'd like to have good usecases even for adding that. I think site 
authors would be upset if they couldn't rely on referer (which arguably 
already is an issue since some firewall produces block outbound referer 
headers).

/ Jonas
Received on Sunday, 9 April 2006 13:22:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT