- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 30 Jan 2009 15:16:23 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Bjoern Hoehrmann <derhoermi@gmx.net>, ietf-http-wg@w3.org
On Jan 30, 2009, at 2:36 PM, Adam Barth wrote:
> On Fri, Jan 30, 2009 at 2:30 PM, Mark Nottingham <mnot@mnot.net>
> wrote:
>>> As Thomas says, there are lots of ways to do this, mostly by design.
>
> [...]
>
>> OK, so can't we get incremental improvement by specifying what
>> Referer
>> should be in these situations, and having browsers implement that?
>
> Yes. That's an interesting idea. We could let user agents send the
> value "null" in the Referer header and then require user agents to
> always send a Referer header (possibly with the value "null"). This
> would let servers distinguish between a header suppressed by the
> attacker (value is null) and suppressed by the network (header is
> gone) in the same way the Origin header proposes.
I was thinking something like
Referer: data:hidden
Referer: about:bookmarks
Referer: https:
and others where appropriate.
....Roy
Received on Friday, 30 January 2009 23:16:53 UTC