On Tue, Mar 19, 2013 at 6:30 PM, Jonas Sicking <[email protected]> wrote: > I don't think that that is a particularly convincing argument since there is > no confused deputy problem here, and if a website is making security > decisions based on referrer headers even when there are no other identifying > signals, then that website is a lost cause.
Not if the referring URL was a capability, which I think might have been the point. > In other words, I see no new attack vectors being introduced, but I do see > additional value, if we keep the referrer. You do know there are efforts to making Referer obsolete within Mozilla so to leak less information about the user? > Regarding origin. I guess I don't care terribly strongly either way. But I > don't really see the value of creating an exception here from regular CORS > given that I don't see any attack vectors that are being closed. Yeah, hmm, I wish more people participated in this thread. -- http://annevankesteren.nl/
