W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 27 May 2011 23:22:38 -0700
Message-ID: <BANLkTi=x3Lv6CKjdtZVai+PWedC4Cj5OjA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
> Adding it to CSP side-steps the breakage problem by making it
> opt-in, but will the sites we care about opt-in? Some of them simply
> don't care, they may already be doing stupid things like passing
> credentials in URLs in the clear. Some of them are passing the
> information on purpose.

I think it's worth considering.

Disabling "Referer" altogether (or crippling it substantially) without
upsetting much of the Internet is probably not feasible. I can
elaborate on this, but it's probably not necessary =)

So, without an opt-in solution, site owners have to resort to one of
two things: not putting anything sensitive in URLs, ever (usually not
feasible / enforceable), or scrubbing outgoing navigation carefully on
every by doing some redirection tricks that suppress the header
(painful, ugly, error-prone, impossible to do right for certain types
of subresource loads).

Sites that care (Facebook, GMail, etc) typically use the latter
technique, but every now and then, they miss a spot. Having a simple
opt-in mechanism that works for all content inclusion modes, and can
be applied site-wide, is a clear win for them, probably.

/mz
Received on Saturday, 28 May 2011 06:23:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 May 2011 06:23:26 GMT