[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-docs
Subject:    Antwort: Re: More about FAQs
From:       Michael.Schroepl () telekurs ! com
Date:       2002-06-27 17:23:36
[Download RAW message or body]


Hi,


> I'd also add
> SetEnvIf Referer "^^$" linked_from_here
> This is relatively safe because people doing the "inlining" don't
> have control over the browsers, so they won't be able to use this
> extra flexibility to get around the restriction.

there are situations where even this would allow for inlining
the images.
For example, the Internet Exploder doesn't send a Referrer
when referencing a HTTP URL from a HTTPS page (for security
considerations; RFC 2616 doesn't enforce a behaviour there
but even suggests to not send a Referrer; Netscape 4 _is_
sending the Referrer in this case).
So if matching the empty Referrer this would still allow a
HTTPS site to inline images from a HTTP site, if they ignore
Netscape 4 users.

> Plus it allows privacy-minded clients and simpler browsers to still
> access the images.

Like Opera 5 & 6 that allows to configure it as to not send
any Referrers at all.

Or Mozilla 1.0, whose configuration file
"bin\defaults\pref\all.js" says this:
     pref("network.http.sendRefererHeader", 2);
     // 0=don't send any, 1=send only on clicks, 2=send on image requests
as well

(There is not yet a GUI access from Mozilla 1.0 or Netscape

7.0PR1 to this field, but one may still edit the file.)



Let alone tools like WebWashers and the like.



There seems to be no easy solutions to this, especially when

new UserAgents allow users to suppress Referrers more easily.

Regards,

      Michael



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]