W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > February 2010

[Bug 8869] New: Fetch algorithm should specify that no Referer is sent when the origin is a unique identifier

From: <bugzilla@wiggum.w3.org>
Date: Wed, 03 Feb 2010 09:34:29 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-8869-2486@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=8869

           Summary: Fetch algorithm should specify that no Referer is sent
                    when the origin is a unique identifier
           Product: HTML WG
           Version: unspecified
          Platform: PC
               URL: http://www.whatwg.org/specs/web-apps/current-
                    work/complete.html#fetch
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec bugs
        AssignedTo: dave.null@w3.org
        ReportedBy: mjs@apple.com
         QAContact: public-html-bugzilla@w3.org
                CC: ian@hixie.ch, mike@w3.org, public-html@w3.org


When the origin is a unique identifier, no Referer header should be sent. There
are two obvious cases of this:

1) data: URLs - should not send Referer because that could be an information
disclosure.
2) sandboxed iframes without allow-origin - if they are not sending Origin as
if on the hosting site, they should not send Referer as if on the hosting site
either.

(2.6 Fetching resources is the relevant section)


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 3 February 2010 09:34:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:10 UTC