I don't want to specifically disallow it, I don't want it to be MUST,
nor do
I see a particular reason for it not to be overridable - a browser
may want
to not allow it to be overridable without specific user agreement
outside
of the same domain for such reasons, but I don't see the reason for
disallowing it from overriding within the same domain - given that
any cross
domain is with the explicit agreement of the user in all implementations
today, I don't see the problem with any of them setting it, indeed I
have
many use cases for it.
OK. I've made my case and have heard from some individuals; it seems
like there's agreement that automatically setting Referer shouldn't be
disallowed, but disagreement about whether it should be overridable.
I'd like to hear the WG's opinion on the matter.
I'm pretty sure that allowing referer to be overridden is a security
issue (one that should be mentioned in the security section if nothing
else).
Shopping sites may check that the referer is a product page when a
request is made to add an item to the shopping cart. And the check-out
page may perform a similar check before charging the creditcard.
This would probably be helped by restricting to same-origin policies.
But I'd like to have good usecases even for adding that. I think site
authors would be upset if they couldn't rely on referer (which arguably
already is an issue since some firewall produces block outbound referer
headers).
/ Jonas
