W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 27 May 2011 02:18:31 -0700
Message-ID: <BANLkTinWU6DpSPO0bvLDekLz+-Y-k-4jyg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org
Since stripping referer is something proxies (and iirc some browsers
even) have done in the past, I don't think we need to be too worried
about that. Your own study[1] mentions > 10% referer header supression
in the past. Why not go with the simpler design and move to the more
flexible one if a need is felt ?

--devdatta

[1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

On 26 May 2011 22:03, Adam Barth <w3c@adambarth.com> wrote:
> On Thu, May 26, 2011 at 7:09 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> 1) Remove header entirely.
>>> 2) Strip down the Referer to just the origin.
>>
>> 2. seems to be the Origin header. Is there a particular use case for
>> adding this ?
>
> Mostly integration with existing servers that look at the Referer
> header.  Another possibility is to just strip the query (and fragment,
> of course).
>
> Adam
>
>
>>> https://bugs.webkit.org/show_bug.cgi?id=61576
>>>
>>> Should we add a "scrub-referrer" directive to CSP?
>>>
>>> Adam
>>>
>>>
>>
>
Received on Friday, 27 May 2011 09:19:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 May 2011 09:19:19 GMT