- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 29 Jun 2006 21:20:40 +0000 (UTC)
- To: Mark Baker <distobj@acm.org>
- Cc: Mark Nottingham <mnot@yahoo-inc.com>, Subbu Allamaraju <subbu.allamaraju@gmail.com>, public-webapi@w3.org
On Thu, 29 Jun 2006, Mark Baker wrote: > > > > I would be very much against that. Referer is very useful to Web sites > > that want to restrict casual linking into images and other resources. > > if XHR is able to change referers, and also eventually enables > > cross-site, it will become trivial circumvent this sort of protection > > (which, yes, isn't perfect, but is often good enough). > > I agree, but that's for cross-domain, which is a very different problem. > I agree that Referer is of higher value in cross-domain scenarios. It's not that different; once you have XXX (CROSS-site eXtensions to Xmlhttprequest), a simple one-domain XMLHttpRequest call can trivially turn into a cross-domain call simply by hitting a redirect. IMHO the restrictions for XXX should be the same as for normal XMLHttpRequest, otherwise we're just asking for obscure security bugs. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 29 June 2006 21:20:53 UTC