[whatwg] <meta name="referrer">

On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> There is a fairly strong security benefit of policing it on document-
> or even origin-level: it's exceedingly easy to miss an outgoing link
> or a Referer-sending subresource (including <img>, <iframe>, <link
> rel=...>) otherwise.
>

But it has the very problem that it's global, whether you want it or not.
Also, the problem is reversed for "always"--you probably *want* to specify
that explicitly on a link-by-link basis, since it's loosening the referrer
rules rather than tightening them.

<meta> could be used to set the default referrer mode, then use rel=
consistently with noreferrer.  For example,

<meta name="referrer" content="noreferrer">
<meta name="referrer" content="alwaysreferrer">
<meta name="referrer" content="originreferrer">
<meta name="referrer" content="defaultreferrer">

This would set the default, which could be overridden with rel:

<a rel="noreferrer"> <!-- already works --> <a rel="alwaysreferrer"> <a
rel="originreferrer"> <a rel="defaultreferrer">

That would allow using the existing noreferrer feature globally, using the
new referrer modes for specific links, setting noreferrer globally and a
different mode for specific resources, and so on.

On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c at adambarth.com> wrote:

> Similarly, it's useful for this feature to apply things besides links,
> such as iframes (e.g., advertisements embedded in a social networking
> site---see previously mentioned news stories).  I can add this
> information to the use cases section if that would be helpful.
>

Are implementors really willing to implement a feature that allows disabling
referrers for non-links, though?  I'm pretty sure rel=noreferrer's
links-only limitation is by design.

-- 
Glenn Maynard

Received on Tuesday, 25 October 2011 17:59:07 UTC