Re: Move `referrer` from CSP to some other header. from Brian Smith on 2015-10-09 (public-webappsec@w3.org from October 2015)

From: Brian Smith <brian@briansmith.org>
Date: Fri, 9 Oct 2015 10:06:28 -1000
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jochen Eisinger <eisinger@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CAFewVt7WJ2S0iqd5Xyth6DNcDwAGeH-1RwHG_ZYxn-XnAB_scg@mail.gmail.com>

On Fri, Oct 9, 2015 at 3:45 AM, Mike West <mkwst@google.com> wrote:

> So, while rewriting most of CSP, I think I've decided that Brian was
> right, way back in
> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
> CSP is simpler to conceptualize as a purely restrictive mechanism, and
> I'm on board with the idea that we should keep it that way.
>

To that end, I would suggest that we drop the `referrer` directive
> from the referrer policy spec,

I support the idea of removing the referrer directive from CSP and for
browsers to remove their current support for the CSP referrer directive
soon. But, please keep reading.

> and turn it into a distinct header

Rather than take the current definition of CSP referrer and make it the
definition of a new HTTP header field, let's take this time to figure out
what semantics we really want. In particular, the the header field would
just have the same semantics as <meta referrer> then I'd rather just keep
<meta referrer> without adding any HTTP header variant. But, if people are
open to improving upon <meta referrer> then I think it does make sense to
define a new header field.

And, in particular, I think that the work for defining the new header
should be prioritized according to the goal of changing browsers to have a
safer default referrer policy, such as the the I described in
https://briansmith.org/referrer-01.

To be clear, I'm open to extending that proposal to address the concerns of
Google/Doubleclick's and anybody else that objects to it. To that end, it
would be helpful if the Google/Doubleclick people could share what they
want. My understanding is that they want to have a way to say something
like this:

    Referrer-Policy: none; unsafe-url: "https://adserver.example.com"

That would mean "Don't send referrers, except send the full referrer for
subresources hosted on https://adserver.example.com and navigations through
https://adserver.example.com." I was hoping that this could be done via the
referrerpolicy attribute on the individual HTML elements for the ads, but
my understanding is that Google/Doubleclick wants something that doesn't
require users to change their HTML. Note that my understanding of what
Google/Doubleclick wants is based on a summary provided to me by Mozilla,
so there may be inaccuracies there.

Regardless of the specifics, my point is that we should not just blindly
copy CSP referrer into a separate header field, and that we should take
this as an opportunity to improve the unsafe default.

Cheers,
Brian
-- 
https://briansmith.org/

Received on Friday, 9 October 2015 20:06:56 UTC