- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 26 Jan 2009 18:55:21 -0800
- To: Larry Masinter <LMM@acm.org>
- Cc: ietf-http-wg@w3.org
On Mon, Jan 26, 2009 at 5:41 PM, Larry Masinter <LMM@acm.org> wrote: > Treating Referer like some kind of urban blight which we just leave to > molder seems odd to me. Is Referer deprecated? Expected to be sent as well, > but then frequently stripped? Although the Referer header is not useful as a CSRF defense, the Referer header is useful for a number of other purposes. For example: 1) The Referer header tells me which search terms visitors to http://www.adambarth.com/ used to find my home page. 2) The Referer header helps me track down pages that are still linking to my old home page (at adambarth.org). 3) Many bloggers use the Referer header to link to pages that link to their posts (trackback). > If the main difference between "Referer" and > "Origin" is that Referer contains too much information or is sent at the > wrong time, why not just fix "Referer"? It shouldn't be any harder to change > an existing header (compatibly) than it is to invent a new one. That would break the above use cases. > I think the discussion confuses the cost/benefits for different > constituencies. I didn't understand the point you were trying to make with this analysis. Instead of listing the costs and benefits of various actions to various constituencies, you just described what you thought each party would do without explaining why. > You can't benefit browser users until a significant number of server > operators deploy this. A user of a supporting browser will benefit as soon as one Web site they use adopts the defense. > But server operators will be reluctant to deploy > without browser implementation. The cost to deploy the defense is small and the benefit scales with the deployment of supporting browsers. At some point, the benefits of deploying the defense will eclipse its cost. My guess is this turning point will come long before the Origin header reaches 90% deployment. > Meanwhile, if firewalls start blocking the > header, then the benefit curve will go down, not up, and it will be another > set of useless bytes sent over the wire only to be parsed and blocked later > (i.e., just more cost). We have yet to see even anecdotal evidence that firewall customers will benefit from demanding that firewall vendors to block the header. Adam
Received on Tuesday, 27 January 2009 02:55:57 UTC