W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Bil Corry <bil@corry.biz>
Date: Sat, 28 May 2011 08:34:22 -0700
Message-ID: <4DE115FE.7050705@corry.biz>
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Daniel Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
Michal Zalewski wrote on 5/27/2011 11:22 PM:
> Sites that care (Facebook, GMail, etc) typically use the latter
> technique, but every now and then, they miss a spot. Having a simple
> opt-in mechanism that works for all content inclusion modes, and can
> be applied site-wide, is a clear win for them, probably.

I agree and I do think it would be helpful for those sites.  For more granular control, it would be helpful to have mechanism within HTML5 to define "privacy-sensitive context" (per link? per page?) and use it to omit referrer and origin, as described in Adam's "The Web Origin Concept" draft[1].  I believe HTML5 currently has hard-coded rules for when a request is privacy-sensitive, which is a similar approach to how referrer is selectively omitted, and like referrer, the lack of granular control doesn't provide the ideal security control for all sites.

Related, I saw that omitting the referrer entirely is part of mnot's "HTTP Browser Hints" draft[2], but I believe that would only affect requests being sent to the site providing the hint, which doesn't help with cross-domain requests.


- Bil

[1] http://tools.ietf.org/html/draft-abarth-origin-09#section-6.3
[2] http://tools.ietf.org/html/draft-nottingham-http-browser-hints-00#section-5.5
Received on Saturday, 28 May 2011 15:58:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 May 2011 15:58:57 GMT