Re: scrub-referrer directive?

On 27 May 2011 01:04, Adam Barth <> wrote:

> Lots of sensitive information leaks in the Referer header.  This paper
> has a bunch of scary examples:
> I'm not sure whether we can scrub the Referer header by default
> because lots of folks use the Referer header for all kinds of crazy
> stuff, but we should at least give sites an easy hook for scrubbing
> it.  There probably should be a couple options:
> 1) Remove header entirely.
> 2) Strip down the Referer to just the origin.

Whitehat on:
I think it's a good idea helps protect sites that don't use https

Blackhat on:
I think it's a good idea, I can use a CSP server to strip or manipulate the
referrer hopefully when you extract the origin you'll make a mistake :)

Received on Friday, 27 May 2011 10:17:17 UTC