Posted by shimmyshack on 06/01/07 08:37

On May 31, 9:14 pm, Phil <supp...@campbell-graves.org> wrote:
> You're right. Thanks, for pointing out that referring pages are
> privacy issues. Many of us would include some uses of cookies in that
> threat. It's a big issue that deserves discussion.
>
> Http-header contains history. Some header information seems privacy
> related (computer, OS, IP/domain, and at least the last item in the
> browsing history). One posting suggested that the header goes back a
> few urls.
>
> Does everyone agree that websites should not capture http-header
> information?
>
> Phil

well it depends, http headers are of course essential, I guess we are
talking about referer which is essentially useless (can be spoofed and
isnt required) and other "custom" headers which can form part of an
application.
Referers should probably be blocked by privacy conscious users at the
browser level. They only reveal history if the web application that
the user is running (visiting) tells them to. The essential problem is
ignorance in users, they do not (and shouldnt be expected to) discern
between bad and good elements in a page. For a long time we have
followed the "if it works great" approach of companies like M$ with IE
almost designed with this ethos in mind, sooner rather than later,
there will be some high profile court case against companies which
collect data without proper consent, no doubt following yet another
uncontrolled relesase, which will result in some change or the other
to the way browsers transmit and applications can collect information,
and the implicit consent which is assumed by visiting a website.
Havent we all got to this situation via "corporations" whose control
of the legal system skews rights in their direction - "companies have
to proove adherence to software licenses etc..."
Theres no short answer except the power of combined individuals. If
you dont want your history tracked, write a good article explaining
the risks and showing up a few companies that do it, and have a link
to a firefox addon, if the article is digg'd you've gone some way to
helping the situation.
I run noscript, and explicitly and temporarily allow domains if the
page doesnt work, this stops all kinds of threats including persistent
xss, and of course 3rd party privacy thieves. Combine this with
RefControl and you're done.

[Back to original message]