W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Include Referer-HTTP-header in requests from XMLHttpRequests

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 29 Jun 2006 21:20:40 +0000 (UTC)
To: Mark Baker <distobj@acm.org>
Cc: Mark Nottingham <mnot@yahoo-inc.com>, Subbu Allamaraju <subbu.allamaraju@gmail.com>, public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0606292119060.4826@dhalsim.dreamhost.com>

On Thu, 29 Jun 2006, Mark Baker wrote:
> > 
> > I would be very much against that. Referer is very useful to Web sites 
> > that want to restrict casual linking into images and other resources. 
> > if XHR is able to change referers, and also eventually enables 
> > cross-site, it will become trivial circumvent this sort of protection 
> > (which, yes, isn't perfect, but is often good enough).
> 
> I agree, but that's for cross-domain, which is a very different problem.  
> I agree that Referer is of higher value in cross-domain scenarios.

It's not that different; once you have XXX (CROSS-site eXtensions to 
Xmlhttprequest), a simple one-domain XMLHttpRequest call can trivially 
turn into a cross-domain call simply by hitting a redirect. IMHO the 
restrictions for XXX should be the same as for normal XMLHttpRequest, 
otherwise we're just asking for obscure security bugs.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 29 June 2006 21:20:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT