- From: Nico Williams <nico@cryptonector.com>
- Date: Sat, 28 May 2011 00:17:45 -0500
- To: Adam Barth <w3c@adambarth.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On Fri, May 27, 2011 at 11:54 PM, Adam Barth <w3c@adambarth.com> wrote: > Yeah, the sites that leak data in the paper seem like the types that > would be helped more by on-by-default protection. I'm too scared of > what would happen if we nuked Referer by default though. :( Well, just what would happen? One guess: sites that want linkees to get referrer info will resort to redirects, with URLs encoded in URLs (quite possibly via encryption, to defeat URL cleaning add-ons). Another guess: site operators will scream bloody murder :) What else? But if site operators use referrers as a way to purposefully (yet with plausible deniability) leak information to selected third parties... What else can users do but turn off Referrers? Nico --
Received on Saturday, 28 May 2011 08:05:42 UTC