On Thu, 7 Feb 2008, Close, Tyler J. wrote: > > > > > > That's the new part. > > > > Referer-Root is not new. It's a subset of an existing header. > > The content of Referer-Root is a subset of Referer; however, the > conditions under which an honest client sends Referer-Root are > different. Today, an honest, correctly implemented browser won't send a > cross-domain POST of XML content. Consequently, it is not convincing for > a dishonest client to use the Referer header to claim that a web page > from another site originated such a request. The same is not true of the > [Referer-Root] header. The [Referer-Root] header can be used to > convincingly blame another site for a request.
Why is this a problem, given that the same (but with Referer) is already true for all GET requests and POST requests from <form>s? How would you solve this problem? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
