W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

referrer spec and backwards compatibility

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 8 Feb 2015 23:32:31 -0800
Message-ID: <CAPfop_3WQ2OEi+g+i3GnTW0xvNbiPD-AB0CT+ms+XMp6oycsfg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi

(previously on blink-security-dev
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/-t_-5m6ChDg)

Currently, (I believe) in release versions, Firefox supports the
"origin-when-crossorigin" value for the referrer directive while
Chrome doesn't. Unfortunately, the Chrome implementation of the spec
is "if I don't know the name of the directive value, fall back to the
secure 'none'". This means that as a web application developer, I
can't use origin-when-crossorigin since it would break referrer for
far too many users.

I think the spec should be changed to say "if you don't know the name
of the directive, ignore it". This will allow web application
developers to make the best choice according to what they feel is the
right thing to do. For example, the web application could do:

<meta content="unsafe-url" name="referrer" />
<meta content="origin-when-crossorigin" name="referrer" />

This will allow the app to provide the most protection possibel
without breaking features and not being limited by what version of the
browser the user is relying on.

What do others think?

cheers
Dev
Received on Monday, 9 February 2015 07:33:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC