- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 09 Apr 2006 06:22:35 -0700
- To: Mark Nottingham <mnot@yahoo-inc.com>
- Cc: public-webapi@w3.org
>> I don't want to specifically disallow it, I don't want it to be MUST, >> nor do >> I see a particular reason for it not to be overridable - a browser >> may want >> to not allow it to be overridable without specific user agreement >> outside >> of the same domain for such reasons, but I don't see the reason for >> disallowing it from overriding within the same domain - given that >> any cross >> domain is with the explicit agreement of the user in all implementations >> today, I don't see the problem with any of them setting it, indeed I >> have >> many use cases for it. > > OK. I've made my case and have heard from some individuals; it seems > like there's agreement that automatically setting Referer shouldn't be > disallowed, but disagreement about whether it should be overridable. > I'd like to hear the WG's opinion on the matter. I'm pretty sure that allowing referer to be overridden is a security issue (one that should be mentioned in the security section if nothing else). Shopping sites may check that the referer is a product page when a request is made to add an item to the shopping cart. And the check-out page may perform a similar check before charging the creditcard. This would probably be helped by restricting to same-origin policies. But I'd like to have good usecases even for adding that. I think site authors would be upset if they couldn't rely on referer (which arguably already is an issue since some firewall produces block outbound referer headers). / Jonas
Received on Sunday, 9 April 2006 13:22:34 UTC