- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 12 Jun 2009 16:41:18 -0700
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jun 12, 2009 at 4:10 PM, Henrik Nordstrom<henrik@henriknordstrom.net> wrote: > tis 2009-06-02 klockan 01:50 +1000 skrev Mark Nottingham: >> However, in previous discussions, Adam et al indicated that it would >> be interesting to require that Referer always be sent, by minting a >> new value (e.g., 'null', although it will have to be something else, >> since "null" is a valid partial-URI) to indicate when a Referer is not >> available. > > Not having that discussion in front of me, but why would one want this? > > A non-existing Referer header means that the user agent either don't > have a referer URI, or do not want to tell what it was. How is sending a > "null" Referer header different from this? We've already covered this in previous discussion, but the high level reason is so severs can distinguish the following two cases: 1) The Referer header was striped from the request in transit. 2) The User Agent did not attach a Referer because on particular URI was appropriate. Being unable to distinguish these cases prevent servers from being able to use the Referer header to mitigate CSRF vulnerabilities. For more details, please see the archives. Adam
Received on Friday, 12 June 2009 23:42:12 UTC