W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 27 May 2011 16:27:52 -0700
Message-ID: <4DE03378.5020307@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 5/26/11 10:03 PM, Adam Barth wrote:
> Another possibility is to just strip the query (and fragment,
> of course).

I'm not sure there's much point of that. Stripping the query already
breaks a lot of legitimate uses for the referrer, while not
protecting against some of the SSO-type URLs that pass user or
session IDs in the URL itself. If there's a case that Referer: can
be safely pared back we should go all the way back to an unadorned
origin. (It's still going to break stuff; who wants to go first?)

Fragments should already not be sent with the Referer.
Received on Friday, 27 May 2011 23:28:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 May 2011 23:28:28 GMT