- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 12 Jun 2009 16:43:05 -0700
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jun 12, 2009 at 4:13 PM, Henrik Nordstrom<henrik@henriknordstrom.net> wrote: > mån 2009-06-01 klockan 14:11 -0700 skrev Adam Barth: >> As things stand, the document forbids user agents from always sending >> the Referer header, preventing a browser-specific specification from >> requiring this behavior. > > Browser specification in this case should be in the lines of "If the > request was intitiated by reference from another object with a known URI > then the Referer header SHOULD be sent indicating the URI of the > referencing resource." That is insecure. For example, if the referring URI is an HTTPS URI, then this would ask that user agents send the path and query string of the HTTPS URI in the clear over the network, potentially disclosing sensitive information in those parts of the URI, such as authorization tokens. Adam
Received on Friday, 12 June 2009 23:44:00 UTC