On 08/26/10 13:25, Jeff Balogh wrote:
In our case the pref was accidentally disabled when testing add-ons, but people do intentionally turn off Referer for privacy reasons. I don't know if requiring Referer under https is a good idea.
RFC-2616 makes it pretty clear that one should never require the Referer[sic] header as it's optional[1] for the user-agent to transmit it and perfectly reasonable for the user to disable it regardless of HTTP vs. HTTPS.
-tkc [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36 http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.2 http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
