Re: [REFERRER] 3 of 4 policy states are worst than the default from Tanvi Vyas on 2015-08-05 (public-webappsec@w3.org from August 2015)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Wed, 05 Aug 2015 10:16:46 -0700
To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>
CC: public-webappsec@w3.org
Message-ID: <55C244FE.6050507@mozilla.com>

Francois makes a good point.  We should offer a no downgrade option 
along with origin and origin when cross-origin.  Maybe as a second part 
to the content attribute.  Something like "origin;none-when-downgrade" 
and "origin when cross-origin;none-when-downgrade".



On 8/5/15 10:03 AM, Brad Hill wrote:
> Exactly what Mike said.  We *are* trying to encourage more HTTPS by 
> making it possible to upgrade from HTTP while preserving revenue 
> streams that depend on referrers being sent to third parties still 
> using HTTP, without having to re-architect your entire application to 
> send all outbound links through a HTTP redirect shim.
>
> On Wed, Aug 5, 2015 at 12:52 AM Mike West <mkwst@google.com 
> <mailto:mkwst@google.com>> wrote:
>
>     This behavior is to a large extent the entire point of Referrer
>     Policy. If we don't give sites a way around the default behavior
>     or dropping the referrer on downgrade, they'll do it themselves
>     via insecure redirects (e.g. 't.co <http://t.co>').
>
>     Perhaps we could offer something like what you want as an addition
>     (though I'm not sure I understand the use case (nor do I have a
>     good naming suggestion)).
>
>     -mike
>
>     On Aug 5, 2015 04:08, "Francois Marier" <francois@mozilla.com
>     <mailto:francois@mozilla.com>> wrote:
>
>         Sorry if this has been discussed before, but I was reading the
>         spec from
>         the point of view of what I'd like to use on my own sites by
>         default and
>         realized that of the 4 non-default policy states:
>
>         1. no referrer
>         2. origin
>         3. origin when cross-origin
>         4. unsafe url
>
>         only #1 is as good as the default (no referrer when downgrade)
>         when
>         looking at HTTPS to HTTP navigations.
>
>         I wouldn't mind using "origin when cross-origin" but I don't
>         want to
>         leak referrers on HTTP requests so it seems I'm stuck with the
>         default
>         policy.
>
>         Shouldn't we try to encourage more HTTPS and have all of the
>         policies
>         (except for unsafe URL of course) be at least as good as the
>         default
>         one? In other words, shouldn't "origin" and "origin when
>         cross-origin"
>         also imply "no referrer when downgrade"?
>
>         Francois
>

Received on Wednesday, 5 August 2015 17:17:19 UTC