- From: krgovind <notifications@github.com>
- Date: Tue, 21 Jul 2020 08:35:32 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 21 July 2020 15:35:44 UTC
Saluton TAG! I'm requesting a TAG review of current and proposed handling of referrers across various browsers, as being discussed on privacycg/proposals#13. As summarized by @englehardt on the PrivacyCG thread, referrers leak users' browsing activity cross-site. Browsers have either already shipped, or are experimenting with a combination of: - Applying a default policy of `strict-origin-when-cross-origin` - spec update in w3c/webappsec-referrer-policy#125 - Capping the referrer to either `strict-origin-when-cross-origin` or eTLD+1 (Firefox and Safari selectively apply capping to classified/tracker domains). Does the TAG have an opinion on the present disparity among browsers, and appropriate long term handling of referrers? As @englehardt asks: > At the very least it seems like we can align on defaulting to strict-origin-when-cross-origin (see also: w3c/webappsec-referrer-policy#125). But even this default can still be overwritten by motivated adversaries. This leads to the question of why only change the default, and not permanently trim cross-site referrers with no way to override? CC: @domfarolino @johnwilander @erik-anderson @pes10k -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/538
Received on Tuesday, 21 July 2020 15:35:44 UTC