W3C home > Mailing lists > Public > public-html@w3.org > November 2010

Re: ISSUE-124 CP 2

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 11 Nov 2010 07:36:14 -0800
Cc: Philip Taylor <pjt47@cam.ac.uk>, Ian Hickson <ian@hixie.ch>, public-html@w3.org
Message-id: <7C8BD5C0-8A0C-4749-BA64-52C8CF33A2DB@apple.com>
To: Julian Reschke <julian.reschke@gmx.de>

On Nov 11, 2010, at 4:25 AM, Julian Reschke wrote:

> On 11.11.2010 12:36, Philip Taylor wrote:
>> ...
>> A non-trivial percentage of users never send a Referer header (due to
>> browser configuration or privacy-enhancing firewalls etc), so the usual
>> approach to prevent hotlinking is to reject any requests with a present
>> but incorrect Referer, and accept any with a correct or absent Referer.
>> That avoids hurting Refererless users, but still works to prevent
>> hotlinking since it breaks the hotlinking page for a vast majority of
>> users.
>> 
>> noreferrer will make hotlinked requests indistinguishable from
>> legitimate requests from users that block Referer. The only way to
>> prevent hotlinking will then be to block all requests that lack Referer,
>> which will hurt some legitimate users too.
>> ...
> 
> OK, so why is this a problem for <link>, not not for <a>/<area>?

<a>/<area> are used to link to the main resource for a page, not an additional resource. In such cases, linking does not constitute "hotlinking", it is just a hyperlink that the user can follow. It is rare to use the Referer header to block incoming links from a specific page or site.

Regards,
Maciej
Received on Thursday, 11 November 2010 15:36:48 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:06 UTC