Re: scrub-referrer directive? from gaz Heyes on 2011-05-27 (public-web-security@w3.org from May 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 27 May 2011 11:16:49 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org
Message-ID: <BANLkTi=M0ea1TVwB_x4z8p3P19K4re6f_A@mail.gmail.com>

On 27 May 2011 01:04, Adam Barth <w3c@adambarth.com> wrote:

> Lots of sensitive information leaks in the Referer header.  This paper
> has a bunch of scary examples:
>
> http://w2spconf.com/2011/papers/privacyVsProtection.pdf
>
> I'm not sure whether we can scrub the Referer header by default
> because lots of folks use the Referer header for all kinds of crazy
> stuff, but we should at least give sites an easy hook for scrubbing
> it.  There probably should be a couple options:
>
> 1) Remove header entirely.
> 2) Strip down the Referer to just the origin.
>

Whitehat on:
I think it's a good idea helps protect sites that don't use https

Blackhat on:
I think it's a good idea, I can use a CSP server to strip or manipulate the
referrer hopefully when you extract the origin you'll make a mistake :)

Received on Friday, 27 May 2011 10:17:17 UTC