Re: Sending Referer [#144]

On Fri, Jun 12, 2009 at 4:10 PM, Henrik
Nordstrom<henrik@henriknordstrom.net> wrote:
> tis 2009-06-02 klockan 01:50 +1000 skrev Mark Nottingham:
>> However, in previous discussions, Adam et al indicated that it would
>> be interesting to require that Referer always be sent, by minting a
>> new value (e.g., 'null', although it will have to be something else,
>> since "null" is a valid partial-URI) to indicate when a Referer is not
>> available.
>
> Not having that discussion in front of me, but why would one want this?
>
> A non-existing Referer header means that the user agent either don't
> have a referer URI, or do not want to tell what it was. How is sending a
> "null" Referer header different from this?

We've already covered this in previous discussion, but the high level
reason is so severs can distinguish the following two cases:

1) The Referer header was striped from the request in transit.
2) The User Agent did not attach a Referer because on particular URI
was appropriate.

Being unable to distinguish these cases prevent servers from being
able to use the Referer header to mitigate CSRF vulnerabilities.  For
more details, please see the archives.

Adam

Received on Friday, 12 June 2009 23:42:12 UTC