"Jonas Sicking" <[EMAIL PROTECTED]>
There's no arguably about it, many firewall's block it, as do others to
anonymise user activity through the web, such things cannot be relied on.
I also don't see the author use cases for shopping cart checks? Surely
these use cookie based state methods.
Cookie based solutions won't work since cookies are sent with XHR. So to
the site it'll look like this was a real request.
XHR can only request the same site in normal situations, so now I really
don't understand what the problem you're trying to illustrate is? There are
much bigger problems with allowing cross-site XHR than can be solved with
referrer.
Site authors already cannot rely on referrer, so quite why they should be
able to rely on it with XHR I don't know, forcing special behavior on
UA's depending on where a request comes from seems to be something you
should do only in the most extreme situation.
Saying that referrer can't be overriden isn't really 'forcing special
behaviour'.
The request was for referrer to be required, that's the special behaviour,
unless you make it also required, I see no point in requiring it can't be
overridden...
Jim.
