Re: scrub-referrer directive?

On 5/26/11 10:03 PM, Adam Barth wrote:
> Another possibility is to just strip the query (and fragment,
> of course).

I'm not sure there's much point of that. Stripping the query already
breaks a lot of legitimate uses for the referrer, while not
protecting against some of the SSO-type URLs that pass user or
session IDs in the URL itself. If there's a case that Referer: can
be safely pared back we should go all the way back to an unadorned
origin. (It's still going to break stuff; who wants to go first?)

Fragments should already not be sent with the Referer.

Received on Friday, 27 May 2011 23:28:27 UTC