- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 11 Nov 2010 07:36:14 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Philip Taylor <pjt47@cam.ac.uk>, Ian Hickson <ian@hixie.ch>, public-html@w3.org
On Nov 11, 2010, at 4:25 AM, Julian Reschke wrote: > On 11.11.2010 12:36, Philip Taylor wrote: >> ... >> A non-trivial percentage of users never send a Referer header (due to >> browser configuration or privacy-enhancing firewalls etc), so the usual >> approach to prevent hotlinking is to reject any requests with a present >> but incorrect Referer, and accept any with a correct or absent Referer. >> That avoids hurting Refererless users, but still works to prevent >> hotlinking since it breaks the hotlinking page for a vast majority of >> users. >> >> noreferrer will make hotlinked requests indistinguishable from >> legitimate requests from users that block Referer. The only way to >> prevent hotlinking will then be to block all requests that lack Referer, >> which will hurt some legitimate users too. >> ... > > OK, so why is this a problem for <link>, not not for <a>/<area>? <a>/<area> are used to link to the main resource for a page, not an additional resource. In such cases, linking does not constitute "hotlinking", it is just a hyperlink that the user can follow. It is rare to use the Referer header to block incoming links from a specific page or site. Regards, Maciej
Received on Thursday, 11 November 2010 15:36:48 UTC