- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 8 Feb 2008 22:10:00 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > > > > > That's the new part. > > > > Referer-Root is not new. It's a subset of an existing header. > > The content of Referer-Root is a subset of Referer; however, the > conditions under which an honest client sends Referer-Root are > different. Today, an honest, correctly implemented browser won't send a > cross-domain POST of XML content. Consequently, it is not convincing for > a dishonest client to use the Referer header to claim that a web page > from another site originated such a request. The same is not true of the > [Referer-Root] header. The [Referer-Root] header can be used to > convincingly blame another site for a request. Why is this a problem, given that the same (but with Referer) is already true for all GET requests and POST requests from <form>s? How would you solve this problem? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 8 February 2008 22:10:14 UTC