Re: scrub-referrer directive?

On Fri, May 27, 2011 at 7:11 PM, Daniel Veditz <> wrote:
> On 5/26/11 5:04 PM, Adam Barth wrote:
>> Should we add a "scrub-referrer" directive to CSP?
> Adding it to CSP side-steps the breakage problem by making it
> opt-in, but will the sites we care about opt-in? Some of them simply
> don't care, they may already be doing stupid things like passing
> credentials in URLs in the clear. Some of them are passing the
> information on purpose.
> If we're concerned about referrer leaks we shouldn't rely on
> voluntary opt-in via CSP. I'm not strongly against adding it, but I
> suspect it's useless bloat. I'd prefer to standardize what we've got
> so far before we add more to it.

Yeah, the sites that leak data in the paper seem like the types that
would be helped more by on-by-default protection.  I'm too scared of
what would happen if we nuked Referer by default though.  :(


Received on Saturday, 28 May 2011 04:55:10 UTC