On Apr 07, 2006, at 20:00, Mark Nottingham wrote:
OK. I've made my case and have heard from some individuals; it seems like there's agreement that automatically setting Referer shouldn't be disallowed, but disagreement about whether it should be overridable. I'd like to hear the WG's opinion on the matter.
It's been added to the agenda, though given the pile of stuff we have it may be a while before we get around to it.
So far however I haven't heard a convincing case that Referer-based content protection was a generally smart and safe thing to do that should be encouraged by the browsers' security model. Barring a stronger case for this restriction I'd be surprised to see a resolution in that direction.
-- Robin Berjon Senior Research Scientist Expway, http://expway.com/
