Rich Graves, <llurch@networking.stanford.edu>, writes:
A friend who webmasters a large site that is implementing referer-specific content sent me this when I mentioned the cpunks/cryptography thread of a few months back. I basically agree with the W3C. While user education on the potential privacy threat is essential, I do not believe that Netscape should violate published technical standards. There are also privacy and property issues from the server's perspective.
I'm not sure what Netscape action you are referring to, but if it is giving the users the option to block the Referer tag, RFC2068, which is HTTP/1.1, already endorses this: Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information. and later: We suggest, though do not require, that a convenient toggle interface be provided for the user to enable or disable the sending of From and Referer information. I use Eric Murray's fine "cookie jar" privacy program when I am web browsing on my Linux system (http://www.lne.com/ericm/cookie_jar/). It blocks cookies and advertisements via a very flexible config file mechanism. It also eliminates other privacy-revealing outgoing data, including Referer, and could be easily modified to play all kinds of games with Referer for the adventurous. In the news recently, Ticketron is blocking links from some Microsoft affiliated sites due to a disagreement about licensing. I don't know the details of how it is done technically, but possibly it is done by looking at the Referer tag to see if the user linked from the Microsoft site. If so, this would be a good example of the browser sending information which is detrimental to the user. Hal