- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 27 May 2011 23:22:38 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
> Adding it to CSP side-steps the breakage problem by making it > opt-in, but will the sites we care about opt-in? Some of them simply > don't care, they may already be doing stupid things like passing > credentials in URLs in the clear. Some of them are passing the > information on purpose. I think it's worth considering. Disabling "Referer" altogether (or crippling it substantially) without upsetting much of the Internet is probably not feasible. I can elaborate on this, but it's probably not necessary =) So, without an opt-in solution, site owners have to resort to one of two things: not putting anything sensitive in URLs, ever (usually not feasible / enforceable), or scrubbing outgoing navigation carefully on every by doing some redirection tricks that suppress the header (painful, ugly, error-prone, impossible to do right for certain types of subresource loads). Sites that care (Facebook, GMail, etc) typically use the latter technique, but every now and then, they miss a spot. Having a simple opt-in mechanism that works for all content inclusion modes, and can be applied site-wide, is a clear win for them, probably. /mz
Received on Saturday, 28 May 2011 06:23:26 UTC