[whatwg] <meta name="referrer">
glenn at zewt.org
Tue Oct 25 21:05:29 PDT 2011
On Tue, Oct 25, 2011 at 11:46 PM, Adam Barth <w3c at adambarth.com> wrote:
> On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn at zewt.org> wrote:
> > It would fully break the basic use cases of Referer--being able to tell
> > server is inlining resources on your server and causing it to be
> > and being able to do something about it. "rel=originreferer" mode
> > have that problem, though.
> It's a matter of weighing the privacy and security benefits against
> the costs to that use case. If you're interested in that use case,
> you might be interested in Anne's From-Origin proposal, which
> addresses it head-on.
From-Origin doesn't allow selectively revoking access to a resource, without
revoking it from everyone.
From-Origin also assumes a very small set of origins which can access a
resource. If you have lots of domains (Google) or dynamically-generated
domains (Blogspot), it falls apart quickly.
I'd be concerned about losing this functionality of Referer before
From-Origin is fully proven. I have doubts of From-Origin being a realistic
replacement for it.
More information about the whatwg