- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 06 Feb 2008 15:58:13 -0800
- To: "Close, Tyler J." <tyler.close@hp.com>
- CC: Web Application Formats Working Group WG <public-appformats@w3.org>
Close, Tyler J. wrote: > Since the cross-domain request is labeled by the browser with the > Referer-Root of Site A, it is tempting to say Site A should be held > accountable. Unfortunately, this is not secure since Site B cannot > know for sure that this labeling was done by an honest browser. Using > another tool, the user could send a request to Site B labeled with a > Referer-Root for Site A, in effect attempting to blame Site A for the > request to Site B. So Site B is left in the position of not being able > to hold either the user or Site A accountable for the request. What accountability mechanism is used today if the browser isn't honest? It seems to me like you are hosed then no matter what in the scenario. / Jonas
Received on Thursday, 7 February 2008 00:00:22 UTC