W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 27 May 2011 11:16:49 +0100
Message-ID: <BANLkTi=M0ea1TVwB_x4z8p3P19K4re6f_A@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org
On 27 May 2011 01:04, Adam Barth <w3c@adambarth.com> wrote:

> Lots of sensitive information leaks in the Referer header.  This paper
> has a bunch of scary examples:
> http://w2spconf.com/2011/papers/privacyVsProtection.pdf
> I'm not sure whether we can scrub the Referer header by default
> because lots of folks use the Referer header for all kinds of crazy
> stuff, but we should at least give sites an easy hook for scrubbing
> it.  There probably should be a couple options:
> 1) Remove header entirely.
> 2) Strip down the Referer to just the origin.

Whitehat on:
I think it's a good idea helps protect sites that don't use https

Blackhat on:
I think it's a good idea, I can use a CSP server to strip or manipulate the
referrer hopefully when you extract the origin you'll make a mistake :)
Received on Friday, 27 May 2011 10:17:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC