- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 27 May 2011 16:27:52 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
On 5/26/11 10:03 PM, Adam Barth wrote: > Another possibility is to just strip the query (and fragment, > of course). I'm not sure there's much point of that. Stripping the query already breaks a lot of legitimate uses for the referrer, while not protecting against some of the SSO-type URLs that pass user or session IDs in the URL itself. If there's a case that Referer: can be safely pared back we should go all the way back to an unadorned origin. (It's still going to break stuff; who wants to go first?) Fragments should already not be sent with the Referer.
Received on Friday, 27 May 2011 23:28:27 UTC