Re: scrub-referrer directive?

On 5/26/11 5:04 PM, Adam Barth wrote:
> Should we add a "scrub-referrer" directive to CSP?

Adding it to CSP side-steps the breakage problem by making it
opt-in, but will the sites we care about opt-in? Some of them simply
don't care, they may already be doing stupid things like passing
credentials in URLs in the clear. Some of them are passing the
information on purpose.

If we're concerned about referrer leaks we shouldn't rely on
voluntary opt-in via CSP. I'm not strongly against adding it, but I
suspect it's useless bloat. I'd prefer to standardize what we've got
so far before we add more to it.

-Dan Veditz

Received on Saturday, 28 May 2011 02:11:36 UTC