I've only a small voice in this matter, but I'd like to chime in on the side of figuring out a way to solve this without requiring the Referer header.
Regardless of what the RFC may say, I know from inspecting my logs that I (and I assume many others) get a lot of traffic without the header. The traffic in question isn't hand-entered URLS. People who operate sites that appeal to certain subset of the internet population see much higher instances of this. On some sites, my numbers show that nearly 15% of my visitors never send a Referer. It doesn't really matter what the cause - paranoid sysadmins, users who install privacy plugins, or people who just disable that setting. The point is that although you and I browse with the header turned on, there is a sizable population that does not. Breaking the framework for that population seems like a bad idea. It has an taste reminiscent of the "my way or the highway, this site only works in IE 4.5" days of yore. That said, I don't have a good alternative solution, and certainly prefer the current behavior over a potential XSS hole. -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.