W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 27 May 2011 21:54:10 -0700
Message-ID: <BANLkTi=V7+0MGuXD+VfZKe35jMM31YMxaw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On Fri, May 27, 2011 at 7:11 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 5/26/11 5:04 PM, Adam Barth wrote:
>> https://bugs.webkit.org/show_bug.cgi?id=61576
>>
>> Should we add a "scrub-referrer" directive to CSP?
>
> Adding it to CSP side-steps the breakage problem by making it
> opt-in, but will the sites we care about opt-in? Some of them simply
> don't care, they may already be doing stupid things like passing
> credentials in URLs in the clear. Some of them are passing the
> information on purpose.
>
> If we're concerned about referrer leaks we shouldn't rely on
> voluntary opt-in via CSP. I'm not strongly against adding it, but I
> suspect it's useless bloat. I'd prefer to standardize what we've got
> so far before we add more to it.

Yeah, the sites that leak data in the paper seem like the types that
would be helped more by on-by-default protection.  I'm too scared of
what would happen if we nuked Referer by default though.  :(

Adam
Received on Saturday, 28 May 2011 04:55:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 May 2011 04:55:11 GMT