W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Include Referer-HTTP-header in requests from XMLHttpRequests

From: Jim Ley <jim@jibbering.com>
Date: Thu, 29 Jun 2006 21:12:58 +0100
Message-ID: <002e01c69bb8$6b4cc980$0302a8c0@Sniff>
To: "Mark Nottingham" <mnot@yahoo-inc.com>, "Mark Baker" <distobj@acm.org>
Cc: "Subbu Allamaraju" <subbu.allamaraju@gmail.com>, <public-webapi@w3.org>

"Mark Nottingham" <mnot@yahoo-inc.com>
> If I can't trust XHR to send a referer, I have to allow all requests,  and 
> that means that -- today -- somebody can link to that content  from 
> another site using <a>, <script>, <object>, etc.

No, you set appropriate header to authorise the request, you don't rely on 
referer, as that is unsafem because it's unreliable and you would 
unreasonably disqualify people from using your service.

Given the existence of better methods of meeting your use case, I see no 
reason to raise Referer up to should.

Jim. 
Received on Thursday, 29 June 2006 20:13:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT