W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: [xhr] cross site proposal headers

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 1 Aug 2007 00:24:06 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@opera.com>, Web APIs WG <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.64.0708010022550.32118@dhalsim.dreamhost.com>

On Thu, 26 Jul 2007, Jonas Sicking wrote:
> > 
> > Isn't Referer disabled by some third-party software now and then? Such 
> > as antivirus software? Another reason is probably that Referer-Root 
> > contains the exact format needed for the access check. We could use 
> > that in the access-control document probably.
> 
> This seems like a loosing battle that I don't see a reason to fight. If 
> the user (by installing software or through corporate policies) disables 
> the Referer header, why should we try to circumvent them? That seems 
> just likely to piss them off and then add Referer-Root to their blocking 
> list.

Referer is blocked for privacy reasons (e.g. including personal data in 
the URL). Referer-Root is supposed to be safe from this, by only including 
host/domain information.


> If the sites want to use the Referer header and it has been blocked the 
> site can simply deny the request. Non-idea for the end-user, but by 
> their own choice.

Referer is also blocked when going from https:// to http://, for the same 
reasons as above, and we want Referer-Root available then too.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 1 August 2007 00:24:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT