- From: Jim Ley <jim@jibbering.com>
- Date: Sun, 9 Apr 2006 15:24:48 +0100
- To: <public-webapi@w3.org>
"Jonas Sicking" <jonas@sicking.cc> >> There's no arguably about it, many firewall's block it, as do others to >> anonymise user activity through the web, such things cannot be relied on. >> I also don't see the author use cases for shopping cart checks? Surely >> these use cookie based state methods. > > Cookie based solutions won't work since cookies are sent with XHR. So to > the site it'll look like this was a real request. XHR can only request the same site in normal situations, so now I really don't understand what the problem you're trying to illustrate is? There are much bigger problems with allowing cross-site XHR than can be solved with referrer. >> Site authors already cannot rely on referrer, so quite why they should be >> able to rely on it with XHR I don't know, forcing special behavior on >> UA's depending on where a request comes from seems to be something you >> should do only in the most extreme situation. > > Saying that referrer can't be overriden isn't really 'forcing special > behaviour'. The request was for referrer to be required, that's the special behaviour, unless you make it also required, I see no point in requiring it can't be overridden... Jim.
Received on Sunday, 9 April 2006 14:25:55 UTC