W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Nico Williams <nico@cryptonector.com>
Date: Sat, 28 May 2011 00:17:45 -0500
Message-ID: <BANLkTi=6Dcd95DaDSnw_v0ed2BcE0WAmRA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com> 
On Fri, May 27, 2011 at 11:54 PM, Adam Barth <w3c@adambarth.com> wrote:
> Yeah, the sites that leak data in the paper seem like the types that
> would be helped more by on-by-default protection.  I'm too scared of
> what would happen if we nuked Referer by default though.  :(

Well, just what would happen?

One guess: sites that want linkees to get referrer info will resort to
redirects, with URLs encoded in URLs (quite possibly via encryption,
to defeat URL cleaning add-ons).

Another guess: site operators will scream bloody murder :)

What else?

But if site operators use referrers as a way to purposefully (yet with
plausible deniability) leak information to selected third parties...
What else can users do but turn off Referrers?

Nico
--
Received on Saturday, 28 May 2011 08:05:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 May 2011 08:05:43 GMT