{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreif7mxrsqy253t6ssazic4clzv2uyy6h5ypzqi7wp5woylpnu6xldu",
    "uri": "at://did:plc:hqad6xwuzg7oqfmwylfkvqfm/app.bsky.feed.post/3mlipcdrgra52"
  },
  "path": "/viewtopic.php?t=33385&p=273785#p273785",
  "publishedAt": "2026-05-10T11:40:26.000Z",
  "site": "http://forum.palemoon.org",
  "textContent": "> Ok, but why the heck should any website know our previously visited website, i.e. where we come from?\n\nBecause you don't want external requests to suck up your server bandwidth, for one.\nSecondly, for security-sensitive things, you want to ensure inbound linkage is legitimate from expected hosts.\n\nYes, it's potentially a privacy concern, but not that big of a deal in properly-implemented web clients like browsers. It only shows the target sevrer where you came from if it was, in fact, a hyperlink or other content-navigation request. referrers are empty if you navigate manually from the UI or use a bookmark or what not.\n\nSame-domain settings to ignore referrer spoofing are indeed a good measure to limit breakage, but that still fails when, like Paypal does, own hosts aren't necessarily all on the same domain (which is often a security measure for the server operator as well - decoupling DNS of the core business from any third party in use like a CDN). I know paypal uses \"paypalobjects.com\" for example for static resources that have to be cached aggressively; \"same domain\" won't work because it's not \"paypal.com\".\n\n* * *",
  "title": "Web Compatibility Support • Re: Paypal.com Stuck at Security Check",
  "updatedAt": "2026-05-10T11:40:26.000Z"
}