- From: Craig Francis <craig.francis@gmail.com>
- Date: Mon, 17 Aug 2015 10:31:26 +0100
- To: Francois Marier <francois@mozilla.com>
- Cc: public-webappsec@w3.org
On 15 Aug 2015, at 00:04, Francois Marier <francois@mozilla.com> wrote:
> - I couldn't think of a use for an author limiting same-origin referrers
> to origin, so I didn't include the existing "origin-only" policy.
If hosting multiple micro sites, where one does not trust the other, but still wants to see that the request came from the same domain?
https://www.example.com/drive/
https://www.example.com/analytics/
I think they should probably be looking at sub-domains anyway, but realise that there has been some work on a suborigin idea:
https://www.chromium.org/developers/design-documents/per-page-suborigins
On 15 Aug 2015, at 00:04, Francois Marier <francois@mozilla.com> wrote:
> Which means that if we wanted to let authors control this fully, we
> would allow them to do something like:
>
> referrer="same-origin=full cross-origin=origin downgrade=none"
I do like the flexibility this full header would provide, and I think I would find this easier to read (as a human, not parsing as a computer).
But as an aside, this is why I'd appreciate a list of examples to demonstrate what each policy does:
https://github.com/w3c/webappsec/issues/414
On 15 Aug 2015, at 00:04, Francois Marier <francois@mozilla.com> wrote:
> On 05/08/15 12:50 AM, Mike West wrote:
>> This behavior is to a large extent the entire point of Referrer Policy.
>> If we don't give sites a way around the default behavior or dropping the
>> referrer on downgrade, they'll do it themselves via insecure redirects
>> (e.g. 't.co <http://t.co>').
>
> Good point, I hadn't considered that. You (and Brad) are right.
>
>> Perhaps we could offer something like what you want as an addition
>> (though I'm not sure I understand the use case (nor do I have a good
>> naming suggestion)).
>
> I looked into this more carefully and identified three different kinds
> of relationships between a page and one of its resources/links:
>
> 1. same-origin: e.g. https://example.com/index.html ->
> https://example.com/other.html
>
> 2. cross-origin: e.g. https://example.com/index.html ->
> https://example.net/index.html
>
> 3. downgrade: e.g. https://example.com/index.html ->
> http://example.net/index.html
>
> Then we have three "levels" of referrer we can send:
>
> - full: e.g. https://example.com/index.html
> - origin-only: e.g. https://example.com
> - none
>
> Which means that if we wanted to let authors control this fully, we
> would allow them to do something like:
>
> referrer="same-origin=full cross-origin=origin downgrade=none"
>
> I'm not suggesting that we allow authors to use every possible
> combination however. I think we can simplify this and only offer the
> combinations that make sense:
>
> 1. same-origin=none cross-origin=none downgrade=none ("no-referrer")
> 2. same-origin=full cross-origin=none downgrade=none
> 3. same-origin=full cross-origin=origin downgrade=none
> 4. same-origin=full cross-origin=full downgrade=none
> ("no-referrer-when-downgrade")
> 5. same-origin=full cross-origin=origin downgrade=origin
> ("origin-when-cross-origin")
> 6. same-origin=full cross-origin=full downgrade=origin
> 7. same-origin=full cross-origin=full downgrade=full ("unsafe-url")
>
> Notes:
>
> - I couldn't think of a use for an author limiting same-origin referrers
> to origin, so I didn't include the existing "origin-only" policy.
>
> - Combinations 1 to 4 are all at least as safe as the default one.
>
> - Combinations 2, 3 and 6 are not currently in the spec.
>
> - I'm not sure whether or not we need #6.
>
> - I would personally use #2 or #3 on my sites.
>
> Francois
>
Received on Monday, 17 August 2015 09:32:16 UTC