- From: Info@RescueTheWeb.Org <info@rescuetheweb.org>
- Date: Wed, 10 Feb 2010 19:22:46 -0800 (PST)
- To: public-html-comments@w3.org
Hello, Most browsers support RFC 2616 in which they send the referring URL along with the http request to the destination server, whenever a user clicks on a hyperlink. Some browsers support a feature where if you come from a https domain and go toward a http domain the referrer will not be sent. However, in terms of maintaining the security of an administrator section of a website, the referrer presents a problem. Anytime a web designer puts a hyperlink to a 3rd party website within a 'private' section of their own website there is a risk that the 3rd party website will use the referrer information to try to hack the web designers site. Even using https does not alleviate this issue since the 3rd party site could also be https (thus resulting in the sending of the referrer info). Using a redirector (bounce) page would solve this problem, but that requires technical know-how and server configurability perhaps beyond everyone's reach. Since the web is the great equalizer, it would be more appropriate to have the ability to request that referrer sending be turned off. My proposal would be to add an attribute to the <a> tag that would allow you to turn off referrer sending as needed per link. Something such as <a href="" noreferrer>link text</a> would work. Of course, this would impact the object model slightly too. Thanks for your consideration, matt
Received on Thursday, 11 February 2010 15:51:03 UTC