W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 27 May 2011 19:11:00 -0700
Message-ID: <4DE059B4.2000506@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On 5/26/11 5:04 PM, Adam Barth wrote:
> https://bugs.webkit.org/show_bug.cgi?id=61576
> 
> Should we add a "scrub-referrer" directive to CSP?

Adding it to CSP side-steps the breakage problem by making it
opt-in, but will the sites we care about opt-in? Some of them simply
don't care, they may already be doing stupid things like passing
credentials in URLs in the clear. Some of them are passing the
information on purpose.

If we're concerned about referrer leaks we shouldn't rely on
voluntary opt-in via CSP. I'm not strongly against adding it, but I
suspect it's useless bloat. I'd prefer to standardize what we've got
so far before we add more to it.

-Dan Veditz
Received on Saturday, 28 May 2011 02:11:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 May 2011 02:11:37 GMT