On Mon, Mar 18, 2013 at 3:57 PM, Jonas Sicking <[email protected]> wrote: > By not including cookies or other login information you are already > forcing the capability model since you can't tell the connection from > one that is server-to-server. > > Including the referrer header, at least by default, seems very useful > still since there is lots of infrastructure in servers which are using > those for logging purposes.
I don't disagree, but they wanted to avoid exposing any kind of originating data so people could not make trust decisions based on that at all (however silly doing that may be). See http://www.w3.org/TR/UMP/#request-sending in particular. I don't really mind what we do here either way. -- http://annevankesteren.nl/
