- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 27 May 2011 21:54:10 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On Fri, May 27, 2011 at 7:11 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 5/26/11 5:04 PM, Adam Barth wrote: >> https://bugs.webkit.org/show_bug.cgi?id=61576 >> >> Should we add a "scrub-referrer" directive to CSP? > > Adding it to CSP side-steps the breakage problem by making it > opt-in, but will the sites we care about opt-in? Some of them simply > don't care, they may already be doing stupid things like passing > credentials in URLs in the clear. Some of them are passing the > information on purpose. > > If we're concerned about referrer leaks we shouldn't rely on > voluntary opt-in via CSP. I'm not strongly against adding it, but I > suspect it's useless bloat. I'd prefer to standardize what we've got > so far before we add more to it. Yeah, the sites that leak data in the paper seem like the types that would be helped more by on-by-default protection. I'm too scared of what would happen if we nuked Referer by default though. :( Adam
Received on Saturday, 28 May 2011 04:55:10 UTC