- From: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
- Date: Thu, 26 Jun 97 17:26:30 EDT
- To: http-wg@cuckoo.hpl.hp.com
Matthew Rubenstein <ruby@name.net> writes: > One client's frivolous reason is another server's special case. It's _my_ >server, why can't I restrict access based on what enabled the request? Indeed, the access-control specification in our VM:Webserver product allows the owner of an object to grant or deny access to it based in part on the contents of the REFERER header field. Some of our customers like to use it to deny links from their competitors sites, on the assumption that the link says something like: Click here to see a <A HREF="http://site/x/y">really stupid</A> alternative to our wonderful, cheaper product! Then come back and click here to <A HREF="buyit.cgi">order ours!</A> I have no objection to an HTML file saying (by a new tag or a new HTTP header field) that links from it should be unreferred, but don't deprecate access control based on REFERER - it's a useful tool for lots of us. Ross Patterson Sterling Software, Inc. VM Software Division
Received on Thursday, 26 June 1997 14:34:03 UTC