Re: From-Origin FPWD from Maciej Stachowiak on 2011-08-01 (public-webapps@w3.org from July to September 2011)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 01 Aug 2011 11:15:58 -0700
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "robert@ocallahan.org" <robert@ocallahan.org>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Message-id: <5B5C080A-5CA2-45DC-B353-912B8ED544B6@apple.com>

On Aug 1, 2011, at 10:29 AM, Hill, Brad wrote:

> The ability to do all of these things server-side, with referrer checking, has been universally available for fifteen years.  (RFC 1945)
>  
> In every one of the use cases below, From-Origin is a worse solution than referrer checking.  What is the benefit?  Why should I choose From-Origin?  Why should we expect it to become universally deployed where referrer checking is not?

The From-Origin design has two advantages over server-side Referer checking:

1) The Referer header is stripped by intermediaries, often enough that sites targeting a wide user base must be prepared for the fact that it may not be present. This limits the effectiveness of checking it.

2) In many static hosting environments, it is easier to add a fixed response header than to add server-side logic to check Referer. It also enables better caching by intermediaries, as the response would not require a Vary: Referer rule. It's quite common to serve resources such as images or CSS from a dedicated host that only serves static resources and does not execute application logic.

For these reasons, despite the availability of server-side Referer checking, many Web developers would find a solution like From-Origin convenient and helpful

Regards,
Maciej

Received on Monday, 1 August 2011 18:16:30 UTC