- From: Larry Masinter <masinter@adobe.com>
- Date: Wed, 25 Feb 2009 16:05:48 -0800
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
I think the idea of allowing fragment identifiers in Referer is interesting, and I'm not sure what it would break. It couldn't be mandated. I think the privacy security concerns about Referer remain, and perhaps the restriction was just a way of minimizing the exposure? The important limits on Referer in RFC 2616 are in the "Security Considerations" section http://tools.ietf.org/html/rfc2616#section-15.1.2 At least a while ago, it was looking like the "Origin" header proposal might instead be subsumed by an extension to "Referer" instead, which seemed like a positive direction. I don't think allowing fragment identifiers in Referer for other purposes would interfere with that. Larry -- http://larry.masinter.net
Received on Thursday, 26 February 2009 00:08:04 UTC