Re: scrub-referrer directive?

> Adding it to CSP side-steps the breakage problem by making it
> opt-in, but will the sites we care about opt-in? Some of them simply
> don't care, they may already be doing stupid things like passing
> credentials in URLs in the clear. Some of them are passing the
> information on purpose.

I think it's worth considering.

Disabling "Referer" altogether (or crippling it substantially) without
upsetting much of the Internet is probably not feasible. I can
elaborate on this, but it's probably not necessary =)

So, without an opt-in solution, site owners have to resort to one of
two things: not putting anything sensitive in URLs, ever (usually not
feasible / enforceable), or scrubbing outgoing navigation carefully on
every by doing some redirection tricks that suppress the header
(painful, ugly, error-prone, impossible to do right for certain types
of subresource loads).

Sites that care (Facebook, GMail, etc) typically use the latter
technique, but every now and then, they miss a spot. Having a simple
opt-in mechanism that works for all content inclusion modes, and can
be applied site-wide, is a clear win for them, probably.

/mz

Received on Saturday, 28 May 2011 06:23:26 UTC