On Tue, Oct 25, 2011 at 11:46 PM, Adam Barth <[email protected]> wrote:
> On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <[email protected]> wrote: > > It would fully break the basic use cases of Referer--being able to tell > what > > server is inlining resources on your server and causing it to be > hammered, > > and being able to do something about it. "rel=originreferer" mode > doesn't > > have that problem, though. > > It's a matter of weighing the privacy and security benefits against > the costs to that use case. If you're interested in that use case, > you might be interested in Anne's From-Origin proposal, which > addresses it head-on. > From-Origin doesn't allow selectively revoking access to a resource, without revoking it from everyone. From-Origin also assumes a very small set of origins which can access a resource. If you have lots of domains (Google) or dynamically-generated domains (Blogspot), it falls apart quickly. I'd be concerned about losing this functionality of Referer before From-Origin is fully proven. I have doubts of From-Origin being a realistic replacement for it. -- Glenn Maynard
