Re: WebAppSec re-charter status

Hmm, I think I didn't explain myself correctly.

The concern is that, say, if EPR was implemented, sites like Facebook or
the WSJ could block Google, or Bing from linking to their site.

Other concern is that, for example, Bugzilla or github could break links in
a way that I couldn't bookmark them or store them in delicio.us.

Other concern is that, for example, Yahoo News could be linked to from Bing
but not DuckDuckGo.

Did I miss any concerns on EPR vs. The Web?

Which of these concerns is impossible without EPR? Say, with Referrer
checking.

The question I'm asking is how could EPR break the web? It simply makes
writing websites that don't want to be linked to easily.

Is the concern that EPR will make this practice mainstream?
On Feb 12, 2015 9:36 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Thu, Feb 12, 2015 at 9:32 PM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > The status quo is that someone that wanted to make deep linking
> impossible
> > on their site, would need to 403 all requests without the right referrer.
>
> The last time Google studied that header I think it turned out for 5%
> of users things would break if something like that were to happen.
> It's why we have a distinct Origin header. Now if we limit things to
> TLS, maybe?
>
>
> --
> https://annevankesteren.nl/
>

Received on Thursday, 12 February 2015 20:51:01 UTC