- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 27 May 2011 02:18:31 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-web-security@w3.org
Since stripping referer is something proxies (and iirc some browsers even) have done in the past, I don't think we need to be too worried about that. Your own study[1] mentions > 10% referer header supression in the past. Why not go with the simpler design and move to the more flexible one if a need is felt ? --devdatta [1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf On 26 May 2011 22:03, Adam Barth <w3c@adambarth.com> wrote: > On Thu, May 26, 2011 at 7:09 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >>> 1) Remove header entirely. >>> 2) Strip down the Referer to just the origin. >> >> 2. seems to be the Origin header. Is there a particular use case for >> adding this ? > > Mostly integration with existing servers that look at the Referer > header. Another possibility is to just strip the query (and fragment, > of course). > > Adam > > >>> https://bugs.webkit.org/show_bug.cgi?id=61576 >>> >>> Should we add a "scrub-referrer" directive to CSP? >>> >>> Adam >>> >>> >> >
Received on Friday, 27 May 2011 09:19:19 UTC