- From: Glenn Maynard <glenn@zewt.org>
- Date: Wed, 26 Oct 2011 00:05:29 -0400
On Tue, Oct 25, 2011 at 11:46 PM, Adam Barth <w3c at adambarth.com> wrote: > On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn at zewt.org> wrote: > > It would fully break the basic use cases of Referer--being able to tell > what > > server is inlining resources on your server and causing it to be > hammered, > > and being able to do something about it. "rel=originreferer" mode > doesn't > > have that problem, though. > > It's a matter of weighing the privacy and security benefits against > the costs to that use case. If you're interested in that use case, > you might be interested in Anne's From-Origin proposal, which > addresses it head-on. > From-Origin doesn't allow selectively revoking access to a resource, without revoking it from everyone. From-Origin also assumes a very small set of origins which can access a resource. If you have lots of domains (Google) or dynamically-generated domains (Blogspot), it falls apart quickly. I'd be concerned about losing this functionality of Referer before From-Origin is fully proven. I have doubts of From-Origin being a realistic replacement for it. -- Glenn Maynard
Received on Tuesday, 25 October 2011 21:05:29 UTC