On Fri, 2010-09-03 at 12:56 -0700, Paul McMillan wrote: > I've only a small voice in this matter, but I'd like to chime in on > the side of figuring out a way to solve this without requiring the > Referer header. > > Regardless of what the RFC may say, I know from inspecting my logs > that I (and I assume many others) get a lot of traffic without the > header. The traffic in question isn't hand-entered URLS. People who > operate sites that appeal to certain subset of the internet population > see much higher instances of this. On some sites, my numbers show that > nearly 15% of my visitors never send a Referer.
Barth, Jackson and Mitchell [1] collected some data that said that for same-domain HTTPS POST requests, the header is missing in only 0.05% to 0.22% of cases. They've also got strong evidence that the header is suppressed in the network, not by the browser. If you've got very different data, for same-domain HTTPS POST requests, and *not* including other types of requests, because they are not relevant, then we will probably have to re-evaluate. Would you be able to collect such data? Thanks, Luke [1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf -- A mosquito cried out in pain: "A chemist has poisoned my brain!" The cause of his sorrow was para-dichloro- diphenyltrichloroethane Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
