- From: Kris Benson <doctorkb@synaptic.net>
- Date: Tue, 9 Jul 1996 18:27:26 -0700 (PDT)
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
[This as Cc'd to the list, as the original was sent to the list, as well as the fact that it seems a relevant thing to discuss here. I'm including this message at the top, just to say "I hope this is appropriate, yet I'm not sure."] On Tue, 9 Jul 1996, Paul Leach wrote: > Jeff Mogul and I valunteered to write up a draft on simple demographics > -- not the be-all and end-all, but something that would be enough to get > an appreciable number of content providers to stop sending cache-busting > responses. If you need any help, let me know. > Suppose we augmented to semantics of the Referer header so that, if it > is used as a _response_ header (it is currently just a request header), > it means that the server requests that a referer header is sent on any > link followed from this page. If the user wishes to browse without > leaving any trail of where they came from, they could override this, of > course -- but I'm thinking that we would recommend AGAINST this, for the > following reason: Good point. The referrer header should be able to be requested to be sent to the next page, but _only_ if the server that the link is on says to go for it. If the server does not imply it, it should be assumed no. But also, it may be worthwhile to have the Referrer header sent if the page the browser is going to is on the same server as the link to it. i.e. <URL: http://www.megacorp.com/whatever.html>has a link to <URL: http://www.megacorp.com/something.html> this should be highly reccommended that the browser send the Referrer header to the second one, stating that it came from the first document. As they are on the same host, there isn't really any large security issue. Another idea would be for the first server to send a 'Trusted hosts' header, that would imply that any hosts specified there are considered trusted and the referrer should be sent to them. This way, if it is a private server, they can allow referrer header to be sent to their sites (such as <URL: http://www.megacorp.com> has a private site for their employees, too at <URL: http://employees-only.megacorp.com/private/> the employees only place can include the former (public) WWW server as a 'Trusted Host' so that they can determine which hits came from inside their company. Now, this also brings up an additional point: do we allow the user to specify Untrusted hosts? > What I'm looking for are comments on the privacy concerns with such an > approach. There would probably be a great deal of concern over a browser sending the headers without asking the user, much like the fuss over Netscape Navigator (tm) sending the 'From: ' header with the configured e-mail address in one of their Beta versions. While referrer doesn't seem to be as large of a security risk or privacy issue, it could cause some nervousness among users and companies, if they were relying on security by obscurity (not telling others about a private site, rather than protecting it) About the only way to avoid this is to make sure that the spec says that this should default to 'none' if the 'trusted hosts' isn't there, or the site with the link doesn't say that it wants Referrer sent. If applicable, the spec should also make reference to the User having control as well. -- Kris "The Doctor" Benson <kris@hackers-unlimited.com> President, Hackers Unlimited Personal HomePage: http://www.hackers-unlimited.com/doctorkb/ Hackers Unlimited: http://www.hackers-unlimited.com/ JAPH, HTMLer, Webmaster, UNIX guy for hire... ##### May your beard and your .sig grow longer with wisdom #####
Received on Tuesday, 9 July 1996 18:38:23 UTC