Re: Include Referer-HTTP-header in requests from XMLHttpRequests from Mark Baker on 2006-06-29 (public-webapi@w3.org from June 2006)

From: Mark Baker <distobj@acm.org>
Date: Thu, 29 Jun 2006 16:34:19 -0400
To: "Mark Nottingham" <mnot@yahoo-inc.com>
Cc: "Subbu Allamaraju" <subbu.allamaraju@gmail.com>, public-webapi@w3.org
Message-ID: <c70bc85d0606291334q7513f25va7b6fd774d216fb@mail.gmail.com>

On 6/29/06, Mark Nottingham <mnot@yahoo-inc.com> wrote:
> On 2006/06/29, at 12:24 PM, Mark Baker wrote:
>
> >> Right now, sites can trust that referers from browsers, at least,
> >> can't be manipulated. By changing that, you're reducing the
> >> information about the request context available to them.
> >
> > Right, but I don't think that matters much in the single domain case
> > since the author controls much of the request context.
>
> Let's say I publish some content that I only want consumed by XHR
> that's sourced from my site. Sure, somebody can fake that request if
> they have control of the client, but I'm not looking for that level
> of control.
>
> If I can't trust XHR to send a referer, I have to allow all requests,
> and that means that -- today -- somebody can link to that content
> from another site using <a>, <script>, <object>, etc.
>
> Again, it isn't perfect; it's just a useful mechanism that's
> sometimes good enough (or at least better than nothing).

Totally agreed.  But why require it be sent with every request?  Why
not just allow authors to set it themselves?

> >> Turn it around: What's the use case for changing it? Why is it so
> >> hard to send it?
> >
> > AIUI, current practice is not to send the Referer header.
>
> AFAIK the only browser that doesn't is Mozilla, and they're on track
> to adding it soon.
>    https://bugzilla.mozilla.org/show_bug.cgi?id=170477

Interesting, thanks for the link.  That surprises me to learn that the
others already send it.  It suggests that implementors see the
tradeoffs differently than myself, which is  fine, but still, I see no
reason for us to say anything.

> > It's not hard to send, of course.  It's just a long string (commonly)
> > that doesn't add much value in the single domain case, IMO, but would
> > increase latency in the general case.  Not a good tradeoff, IMO.
>
> Maybe we should get rid of that pesky Request-URI too, and move to a
> fixed-length object identifier... ;)

Funny guy! 8-)  So are you going to propose the Accept header be sent
on every XHR request with all supported media types listed? 8-)

Mark.

Received on Thursday, 29 June 2006 20:34:29 UTC