Re: scrub-referrer directive?

Michal Zalewski wrote on 5/27/2011 11:22 PM:
> Sites that care (Facebook, GMail, etc) typically use the latter
> technique, but every now and then, they miss a spot. Having a simple
> opt-in mechanism that works for all content inclusion modes, and can
> be applied site-wide, is a clear win for them, probably.

I agree and I do think it would be helpful for those sites.  For more granular control, it would be helpful to have mechanism within HTML5 to define "privacy-sensitive context" (per link? per page?) and use it to omit referrer and origin, as described in Adam's "The Web Origin Concept" draft[1].  I believe HTML5 currently has hard-coded rules for when a request is privacy-sensitive, which is a similar approach to how referrer is selectively omitted, and like referrer, the lack of granular control doesn't provide the ideal security control for all sites.

Related, I saw that omitting the referrer entirely is part of mnot's "HTTP Browser Hints" draft[2], but I believe that would only affect requests being sent to the site providing the hint, which doesn't help with cross-domain requests.

- Bil


Received on Saturday, 28 May 2011 15:58:56 UTC