Re: The HTTP Origin Header (draft-abarth-origin)

On Thu, Jan 22, 2009 at 4:41 PM, Roy T. Fielding <> wrote:
> I don't understand -- the only case that would be affected
> is the one wherein no Referer is sent today.

The problematic case is when the Referer header is suppressed by the
network (e.g., proxies).  In this case, the Referer header is
suppressed regardless of its value.  Choosing a different value will
not help Web sites defend themselves against CSRF.


Received on Friday, 23 January 2009 01:48:39 UTC