On Thu, 26 Jul 2007, Jonas Sicking wrote: > > > > Isn't Referer disabled by some third-party software now and then? Such > > as antivirus software? Another reason is probably that Referer-Root > > contains the exact format needed for the access check. We could use > > that in the access-control document probably. > > This seems like a loosing battle that I don't see a reason to fight. If > the user (by installing software or through corporate policies) disables > the Referer header, why should we try to circumvent them? That seems > just likely to piss them off and then add Referer-Root to their blocking > list.
Referer is blocked for privacy reasons (e.g. including personal data in the URL). Referer-Root is supposed to be safe from this, by only including host/domain information. > If the sites want to use the Referer header and it has been blocked the > site can simply deny the request. Non-idea for the end-user, but by > their own choice. Referer is also blocked when going from https:// to http://, for the same reasons as above, and we want Referer-Root available then too. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
