Comment 40 for bug 560246
Revision history for this message
| Robert Collins (lifeless) wrote Re: [Bug 560246] Re: Launchpad requires the REFERER header on form submission breaking with noscript and other privacy/spam browser plugins | #40 |
On 26 March 2013 06:52, Ben Bucksch <email address hidden> wrote:
> Robert, that doesn't matter. Requiring referer is not an option on the
> web, because the HTTP spec not only says that it's optional, but
> specifically warns about privacy problems it causes.
>
> See http://
> Quote from the HTTP spec:
> "
> Because the source of a link might be private information or might reveal an otherwise
> private information source, it is strongly recommended that the user be able to
> select whether or not the Referer field is sent. For example, a browser client could
> have a toggle switch for browsing openly/anonymously, which would respectively
> enable/disable the sending of Referer and From information.
> "
That recommends user agents have the capability, and I totally support
that. The use of Referer here has no privacy implications because
there is no requirement that Referer from other sites be provided,
merely that Referer from within LP be provided.
> So, you're saying I can only contribute to Ubuntu when I give up my
> privacy? I hope not. But that's currently the choice I have.
I am saying nothing of the sort, and as I show above, that isn't in
fact the case. Turn off referer for all other sites, turn it on for LP
only.
Or, as has been said before, contribute a patch to implement the
required protection in another fashion.
-Rob