2) You and I disagree on your interpretation ("Your Referer check means that your site will not be accessible from RFC 2068-compatible browsers") but I of course acknowledge the underlying fact of the RFC language. It was conscious compromise.
3) The only browser-related ways of forging REFERER headers I found (http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml, for instance) appeared to be pertinent to older versions of software; and HTTP, not HTTPS. At this time, our posts are exclusively HTTPS.
Given other priorities, I do not plan to revisit the decision in the short term.
We might revisit the decision when we open up much of the site to HTTP, which may be within a few months.
1) Yes, this was a conscious compromise.
2) You and I disagree on your interpretation ("Your Referer check means that your site will not be accessible from RFC 2068-compatible browsers") but I of course acknowledge the underlying fact of the RFC language. It was conscious compromise.
3) The only browser-related ways of forging REFERER headers I found (http:// www.cgisecurity .com/lib/ XmlHTTPRequest. shtml, for instance) appeared to be pertinent to older versions of software; and HTTP, not HTTPS. At this time, our posts are exclusively HTTPS.
Given other priorities, I do not plan to revisit the decision in the short term.
We might revisit the decision when we open up much of the site to HTTP, which may be within a few months.
Gary