- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 30 Jan 2009 14:36:07 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, ietf-http-wg@w3.org
On Fri, Jan 30, 2009 at 2:30 PM, Mark Nottingham <mnot@mnot.net> wrote: >> As Thomas says, there are lots of ways to do this, mostly by design. [...] > OK, so can't we get incremental improvement by specifying what Referer > should be in these situations, and having browsers implement that? Yes. That's an interesting idea. We could let user agents send the value "null" in the Referer header and then require user agents to always send a Referer header (possibly with the value "null"). This would let servers distinguish between a header suppressed by the attacker (value is null) and suppressed by the network (header is gone) in the same way the Origin header proposes. Adam
Received on Friday, 30 January 2009 22:36:42 UTC