W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Sid Stamm <sid@mozilla.com>
Date: Sat, 28 May 2011 09:07:36 -0700
Message-ID: <4DE11DC8.4030603@mozilla.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Daniel Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On 5/27/11 11:22 p, Michal Zalewski wrote:
> Sites that care (Facebook, GMail, etc) typically use the latter
> technique, but every now and then, they miss a spot. Having a simple
> opt-in mechanism that works for all content inclusion modes, and can
> be applied site-wide, is a clear win for them, probably.

I'd be up for adding a directive to CSP in the future, but not for the
current working draft (really want to avoid seeing spec creep before a
first version is ready).

I know the rel=noreferrer in webkit[0] seems promising, but yeah, if you
miss one you're hosed.  What if we put it or something similar in the
<body> tag?

[0]
http://www.webkit.org/blog/907/webkit-nightlies-support-html5-noreferrer-link-relation/

-Sid
Received on Saturday, 28 May 2011 16:08:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 May 2011 16:08:06 GMT