Close, Tyler J. wrote:
> Since the cross-domain request is labeled by the browser with the
> Referer-Root of Site A, it is tempting to say Site A should be held
> accountable. Unfortunately, this is not secure since Site B cannot
> know for sure that this labeling was done by an honest browser. Using
> another tool, the user could send a request to Site B labeled with a
> Referer-Root for Site A, in effect attempting to blame Site A for the
> request to Site B. So Site B is left in the position of not being able
> to hold either the user or Site A accountable for the request.
What accountability mechanism is used today if the browser isn't honest?
It seems to me like you are hosed then no matter what in the scenario.
/ Jonas
