Re: The HTTP Origin Header (draft-abarth-origin)

Ah, I missed the clause "where it is currently not set at all."

Why would even that change be necessary? AIUI browsers sent no value  
when the request wasn't sourced from a particular HTTP URI; that's  
information that's valuable to the server (as Adrien points out).

On 23/01/2009, at 11:41 AM, Roy T. Fielding wrote:

> On Jan 22, 2009, at 4:20 PM, Mark Nottingham wrote:
>> On 23/01/2009, at 10:07 AM, Roy T. Fielding wrote:
>>> 4) Even if such a feature becomes necessary, it can be far
>>> easier accomplished by changing the operational behavior of
>>> browsers such that they always send Referer and simply reduce
>>> the value of that field (similar to that specified for Origin)
>>> in those cases where it is currently not set at all.  No change
>>> would then be needed to HTTP and existing agents that already
>>> send Referer for these cases would already comply.
>> I don't agree. Unless it's very well-specified and implemented,  
>> this will have the effect of dumbing down Referer, reducing its  
>> utility for other purposes.
> I don't understand -- the only case that would be affected
> is the one wherein no Referer is sent today.  It is easy
> to distinguish that case from other Referer values because it
> excludes anything after the URI authority (normal "http" Referer
> values always have a path portion of at least "/").  Hence,
> the change is both HTTP-compliant and detectable by origin
> servers (if they cared, which I don't expect they would).
> ....Roy

Mark Nottingham

Received on Friday, 23 January 2009 00:56:15 UTC