[whatwg] <meta name="referrer">

On Tue, Oct 25, 2011 at 11:46 PM, Adam Barth <w3c at adambarth.com> wrote:

> On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn at zewt.org> wrote:
> > It would fully break the basic use cases of Referer--being able to tell
> what
> > server is inlining resources on your server and causing it to be
> hammered,
> > and being able to do something about it.  "rel=originreferer" mode
> doesn't
> > have that problem, though.
>
> It's a matter of weighing the privacy and security benefits against
> the costs to that use case.  If you're interested in that use case,
> you might be interested in Anne's From-Origin proposal, which
> addresses it head-on.
>

From-Origin doesn't allow selectively revoking access to a resource, without
revoking it from everyone.

From-Origin also assumes a very small set of origins which can access a
resource.  If you have lots of domains (Google) or dynamically-generated
domains (Blogspot), it falls apart quickly.

I'd be concerned about losing this functionality of Referer before
From-Origin is fully proven.  I have doubts of From-Origin being a realistic
replacement for it.

-- 
Glenn Maynard

Received on Tuesday, 25 October 2011 21:05:29 UTC