Re: confidentiality and the referer field from Matthew Rubenstein on 1997-06-26 (ietf-http-wg@w3.org from April to June 1997)

From: Matthew Rubenstein <ruby@name.net>
Date: Thu, 26 Jun 1997 17:52:25 -0400
To: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
Cc: http-wg@cuckoo.hpl.hp.com, Ross_Patterson@ns.reston.vmd.sterling.com
Message-Id: <3.0.1.32.19970626175225.00937140@name.net>

At 05:31 PM 6/26/97 EDT, Ross Patterson wrote:
>Hallam-Baker <hallam@ai.mit.edu> writes:

>>Really the bug is that we never specified a URL space for client use.
>
>FILE: comes sort of close, though, as it has an somewhat opaque meaning
>if you can't read the user's filesystem.
>
>>I don't think that supporting these peoples restrictions is a sufficient
>>reason not to make the change...
>
>Nor do I.  So long as REFERER is still a part of HTTP, and not
>deprecated, I'm happy.  Our customers who use REFERER will either do so
>or not depending on what makes sense for their business, and we will
>continue to provide the capability for them to do so.
>
>>        "Hints" imply that they can at best ensure SHOULD compliance and
>>not a MUST. While the restriction could not be introduced as a MUST a
>>future protocol revision might make it one.
>
>Agreed, if a URL's response says "don't identify me as a REFERER",
>we can't make it a MUST at this time, but we can require that any
>client that understands the "don't tell on me" header field MUST comply.
>And naturally, some sites will respond with "Sorry bub, I need to know
>who told you about me."

	We're defining the spec to specify a good protocol that reflects common
usage. A good protocol allows developers to rely on essential conditions
being reported/modeled in parameters. Worse than omission (which can often
be hacked^H^H^H^H^H^Hworked around) is unreliable availability (which
requires a mass of non-symmetrical code; cf "Cookie2"). The disintegrity
inherent in stateless HTTP already forces too many fall-back scenario
handlers to offer developers a predictable C/S environment; making REFERER
optional further degrades the reliability of the environment. Common
practice is flawed only where the spec didn't go far enough in specifying
what is required of the definition of "out of band" referring contexts.
Let's spec REFERER for _more_ usability, not less.


>Ross Patterson

--
Matthew Rubenstein                    North American Media Engines
Toronto, Ontario   *finger matt for public key*      (416)943-1010

			    Chess is for computers.

Received on Thursday, 26 June 1997 14:59:09 UTC