W3C home > Mailing lists > Public > www-validator@w3.org > April 2006

Why is a referrer header necessary?

From: Charlie Sorsby <crs@sorsby.org>
Date: Tue, 4 Apr 2006 16:31:37 -0600 (MDT)
Message-Id: <200604042231.k34MVbAK042451@sorsby.org>
To: www-validator@w3.org

Hello,

I don't understand why a "referrer header" should be necessary in
order to check the validity of a page.

1.  I quote from the Shields Up! web site:

https://www.grc.com/x/ne.dll?rh1dkyd2

    What's the "Referer" header?
    The web's HTTP protocol was designed with little
    concern for a web surfer's privacy and well before
    aggressive commercial interests decided to track
    surfers across the web, while storing and compiling
    any personal information that might leak from their
    browser.

    [...]

    When a web resource is requested from a server, the
    "Referer" header line provides the requested server
    with the URL of the web page that requested the item.
    But if an online web form has just been filled out
    and submitted using the most common "GET" method, the
    web surfer's potentially personal and private data
    will appear in the URL and it will be sent to any
    third-party servers, such as advertising, tracking,
    or web-bug servers, whose resources appear on the
    form's submission confirmation page!

    The most common (mostly benign) example of this is
    search engine queries where the search terms appear
    in the "tail portion" of the search URL. What's not
    obvious to the casual surfer is that the sites of any
    links they follow from such a search system receive
    that entire URL which appears in the address window
    as the "referer" to the site. This means that sites
    can tell that you came from a web search site, which
    web search site, and what you entered into the search
    site to bring you to them.

    This example, in itself, is probably not much cause
    for privacy concern, but it does demonstrate the
    potential for personal information leakage through
    filling out online web forms.


I've turned off "Enable referrer logging" in my web browser
(opera 8.52); since then, I am unable to revalidate my pages
conveniently.

Before that, I could not do so by simply loading the original
file from my local machine into my web browser and clicking the
revalidate link.  (My actual pages are located on my ISP's system
but I create the pages on my local freeBSD machine.)

If I simply load a local file into my browser to check whether
changes have broken validity, I can't just click on the revalidate
link on that page; I must go to your home page and load the file.
A bloody nuisance that does not encourage me to keep my pages
valid.

Now I find that, even if I want to recheck pages on my ISP's
machine -- i.e. my personal web pages -- I much change the
preferances set on my web browser from the privacy-preserving
settings that I normally have set to allow referrer logging.
At best this is annoying.

I see no valid reason that that should be necessary to check a
given page for validity.  All that should be necessary for that is
the URL (or file name) of the page to be checked.

I want to check the page whose URL (or file name) I've given you;
Not where it came from.

I grant that I'm anything but an expert but this seems both
unnecessary and counter productive to me.

Unless, of course, the objective is to *permit* other sites to
invade my privacy.

Who's side are y'all on, anyway?

Charlie
--  
Charlie Sorsby
        crs@swcp.com
        P. O. Box 1225
        Edgewood, NM 87015
        USA

Why HTML in e-mail is evil: http://www.birdhouse.org/etc/evilmail.html
 and (possibly) how to turn it off: http://www.expita.com/nomime.html
Received on Wednesday, 5 April 2006 09:16:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:14:21 GMT