<CAJE5ia8g6v_SWcqPqyBnrmBTtk5azRDibH1jGSBXE2JT+gqRug@mail.gmail.com>
Current votes: None.
On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn@zewt.org> wrote: > On Tue, Oct 25, 2011 at 9:16 PM, Adam Barth <w3c@adambarth.com> wrote: >> > Are implementors really willing to implement a feature that allows >> > disabling >> > referrers for non-links, though?=A0 I'm pretty sure rel=3Dnoreferrer's >> > links-only limitation is by design. >> >> I'm an implementor, and I'm interested in implementing this feature. =A0= :) > > It would fully break the basic use cases of Referer--being able to tell w= hat > server is inlining resources on your server and causing it to be hammered= , > and being able to do something about it.=A0 "rel=3Doriginreferer" mode do= esn't > have that problem, though. It's a matter of weighing the privacy and security benefits against the costs to that use case. If you're interested in that use case, you might be interested in Anne's From-Origin proposal, which addresses it head-on. (BTW, I don't agree that use case is "the" basic use case for Referer, but that's a matter of opinion.) > By the way, does this need to consider CORS and the Origin header for <im= g > cross-origin>?=A0 I'm not fresh on how that works. Nope. The two do not interact. Adam