W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: scrub-referrer directive?

From: Nico Williams <nico@cryptonector.com>
Date: Mon, 13 Jun 2011 17:17:41 -0500
Message-ID: <BANLkTi=nNpKoOZyRUZzjorbEAM52wi_iTw@mail.gmail.com>
To: Mike Perry <mikeperry@torproject.org>
Cc: public-web-security@w3.org
On Mon, Jun 13, 2011 at 3:48 PM, Mike Perry <mikeperry@torproject.org> wrote:
> I also realized that Sid's idea has a converse that I thought should
> be mentioned. There could be an inheritable attribute that allows
> sites to request unrestricted referer transmission in a
> default-off/restricted referer situation (like Private Browsing Mode).
> The chrome could ask for user permission to transmit unrestricted
> referers for this site, but in reality I don't think any UI is needed
> from a security sense, because sites can smuggle whatever they want
> into URL parameters anyways.
>
> You then solve the "sites screaming bloody murder" point, and referer
> transmission at least becomes more explicit instead of easily confused
> with negligence and oversight.

I like this, very much.

Nico
--
Received on Monday, 13 June 2011 22:18:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC