W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 12 Feb 2015 21:50:28 +0100
Message-ID: <CAFswPa_ML2NGLhcPH7EG58Ka_xs4OBWHy6XxBxGO_tUEr3CuOg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mounir Lamouri <mlamouri@google.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Deian Stefan <deian@cs.stanford.edu>, Mike West <mkwst@google.com>, David Baron <dbaron@dbaron.org>, Jeffrey Yasskin <jyasskin@google.com>, Daniel Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, David Ross <drx@google.com>, Martin Thomson <martin.thomson@gmail.com>
Hmm, I think I didn't explain myself correctly.

The concern is that, say, if EPR was implemented, sites like Facebook or
the WSJ could block Google, or Bing from linking to their site.

Other concern is that, for example, Bugzilla or github could break links in
a way that I couldn't bookmark them or store them in delicio.us.

Other concern is that, for example, Yahoo News could be linked to from Bing
but not DuckDuckGo.

Did I miss any concerns on EPR vs. The Web?

Which of these concerns is impossible without EPR? Say, with Referrer
checking.

The question I'm asking is how could EPR break the web? It simply makes
writing websites that don't want to be linked to easily.

Is the concern that EPR will make this practice mainstream?
On Feb 12, 2015 9:36 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Thu, Feb 12, 2015 at 9:32 PM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > The status quo is that someone that wanted to make deep linking
> impossible
> > on their site, would need to 403 all requests without the right referrer.
>
> The last time Google studied that header I think it turned out for 5%
> of users things would break if something like that were to happen.
> It's why we have a distinct Origin header. Now if we limit things to
> TLS, maybe?
>
>
> --
> https://annevankesteren.nl/
>
Received on Thursday, 12 February 2015 20:51:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC