Ian Hickson wrote: > > That's the new part. > > Referer-Root is not new. It's a subset of an existing header.
The content of Referer-Root is a subset of Referer; however, the conditions under which an honest client sends Referer-Root are different. Today, an honest, correctly implemented browser won't send a cross-domain POST of XML content. Consequently, it is not convincing for a dishonest client to use the Referer header to claim that a web page from another site originated such a request. The same is not true of the Referer header. The Referer header can be used to convincingly blame another site for a request. --Tyler
