W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

scrub-referrer directive?

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 26 May 2011 17:04:11 -0700
Message-ID: <BANLkTi=Xc7j2c4x5=h-HLm7zUJ7r4Byx0g@mail.gmail.com>
To: public-web-security@w3.org
Lots of sensitive information leaks in the Referer header.  This paper
has a bunch of scary examples:


I'm not sure whether we can scrub the Referer header by default
because lots of folks use the Referer header for all kinds of crazy
stuff, but we should at least give sites an easy hook for scrubbing
it.  There probably should be a couple options:

1) Remove header entirely.
2) Strip down the Referer to just the origin.


Should we add a "scrub-referrer" directive to CSP?

Received on Friday, 27 May 2011 00:13:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC