- From: Adrien de Croy <adrien@qbik.com>
- Date: Fri, 23 Jan 2009 13:51:06 +1300
- To: "Roy T. Fielding" <fielding@gbiv.com>
- CC: Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, 'Lisa Dusseault' <ldusseault@commerce.net>
Absense of a Referer field is significant and useful - take a look at google analytics for a compelling reason why. It allows a site to determine if it was hit by way of linking from another site, or presume that the human typed directly the URI into the browser. I don't see why servers can't protect themselves without changing Referer though. Adrien Roy T. Fielding wrote: > > On Jan 22, 2009, at 4:20 PM, Mark Nottingham wrote: >> On 23/01/2009, at 10:07 AM, Roy T. Fielding wrote: >>> >>> 4) Even if such a feature becomes necessary, it can be far >>> easier accomplished by changing the operational behavior of >>> browsers such that they always send Referer and simply reduce >>> the value of that field (similar to that specified for Origin) >>> in those cases where it is currently not set at all. No change >>> would then be needed to HTTP and existing agents that already >>> send Referer for these cases would already comply. >> >> I don't agree. Unless it's very well-specified and implemented, this >> will have the effect of dumbing down Referer, reducing its utility >> for other purposes. > > I don't understand -- the only case that would be affected > is the one wherein no Referer is sent today. It is easy > to distinguish that case from other Referer values because it > excludes anything after the URI authority (normal "http" Referer > values always have a path portion of at least "/"). Hence, > the change is both HTTP-compliant and detectable by origin > servers (if they cared, which I don't expect they would). > > ....Roy > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Friday, 23 January 2009 00:49:01 UTC