- From: Jim Ley <jim@jibbering.com>
- Date: Thu, 29 Jun 2006 21:12:58 +0100
- To: "Mark Nottingham" <mnot@yahoo-inc.com>, "Mark Baker" <distobj@acm.org>
- Cc: "Subbu Allamaraju" <subbu.allamaraju@gmail.com>, <public-webapi@w3.org>
"Mark Nottingham" <mnot@yahoo-inc.com> > If I can't trust XHR to send a referer, I have to allow all requests, and > that means that -- today -- somebody can link to that content from > another site using <a>, <script>, <object>, etc. No, you set appropriate header to authorise the request, you don't rely on referer, as that is unsafem because it's unreliable and you would unreasonably disqualify people from using your service. Given the existence of better methods of meeting your use case, I see no reason to raise Referer up to should. Jim.
Received on Thursday, 29 June 2006 20:13:30 UTC