W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] <meta name="referrer">

From: Glenn Maynard <glenn@zewt.org>
Date: Wed, 26 Oct 2011 00:05:29 -0400
Message-ID: <CABirCh9rBjtHO74ogkNeRe6COTS-oe2Q8fYswjCG_quY2RMAGw@mail.gmail.com>
On Tue, Oct 25, 2011 at 11:46 PM, Adam Barth <w3c at adambarth.com> wrote:

> On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn at zewt.org> wrote:
> > It would fully break the basic use cases of Referer--being able to tell
> what
> > server is inlining resources on your server and causing it to be
> hammered,
> > and being able to do something about it.  "rel=originreferer" mode
> doesn't
> > have that problem, though.
>
> It's a matter of weighing the privacy and security benefits against
> the costs to that use case.  If you're interested in that use case,
> you might be interested in Anne's From-Origin proposal, which
> addresses it head-on.
>

From-Origin doesn't allow selectively revoking access to a resource, without
revoking it from everyone.

From-Origin also assumes a very small set of origins which can access a
resource.  If you have lots of domains (Google) or dynamically-generated
domains (Blogspot), it falls apart quickly.

I'd be concerned about losing this functionality of Referer before
From-Origin is fully proven.  I have doubts of From-Origin being a realistic
replacement for it.

-- 
Glenn Maynard
Received on Tuesday, 25 October 2011 21:05:29 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC