So EPR breaks the web because Referrer enforcement is broken and can't be
used as a security control effectively. That's why you mentioned Origin and
HTTPS. Since Referrer enforcement is less likely to break over SSL and
Origin works differently.
I see, it all makes sense now.
On Feb 12, 2015 10:52 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
> On Thu, Feb 12, 2015 at 9:50 PM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > Hmm, I think I didn't explain myself correctly.
>
> I thought you did.
>
>
> > The concern is that, say, if EPR was implemented, sites like Facebook or
> the
> > WSJ could block Google, or Bing from linking to their site.
> >
> > Other concern is that, for example, Bugzilla or github could break links
> in
> > a way that I couldn't bookmark them or store them in delicio.us.
> >
> > Other concern is that, for example, Yahoo News could be linked to from
> Bing
> > but not DuckDuckGo.
> >
> > Did I miss any concerns on EPR vs. The Web?
>
> Directly linking to "subresources" of an EPR site, presumably.
>
>
> > Which of these concerns is impossible without EPR? Say, with Referrer
> > checking.
>
> As I said, if you implement Referer checking you might end up breaking
> your own site for a number of users due to weird firewall policies.
> See past research on that header. I think it was done by Adam Barth.
>
>
> > Is the concern that EPR will make this practice mainstream?
>
> It's a concern, certainly.
>
>
> --
> https://annevankesteren.nl/
>