W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: referrer directive expressiveness

From: Mike West <mkwst@google.com>
Date: Mon, 10 Feb 2014 15:37:14 +0100
Message-ID: <CAKXHy=dPNmw0KQ4k1aftQNKtF-fT8+qHPHx+_EnOu4gymFk=5A@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: David Bruant <bruant.d@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
On Mon, Feb 10, 2014 at 3:05 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> "url-unless-downgrade" might make more sense given that description?

"downgrade" sounds perfect. I'm not thrilled with 'unless', though. I'm not
sure it's any clearer to specify the "unless" case than the "when" case.

I guess we could change "origin-when-cross-origin" to
"url-unless-cross-origin", but I'm not sure how to distinguish between the
"unless" behavior: "unless-downgrade" sends no referrer.
"unless-cross-origin" sends origin information. For that reason, I'd prefer
"none-when-downgrade" and "origin-when-cross-origin", as they specify the
important differences more clearly.

All that said, I think I now agree with you that "default" might be better.

Another nit, just "origin" (rather than "origin-always") and
> "unsafe-url" to align with "none". Or "none-always", but shorter seems
> better.

Sure, that makes sense:

> When we talked about this at Mozilla Brian at least wanted to be able
> to experiment with exposing less than done currently. I haven't really
> made up my mind personally as to whether that would make privacy
> better, but

Limiting referrer info to origin by default does seem less likely to leak
potentially interesting URL tokens, while providing some of the value of
the full header to site authors. *shrug* I'm not overly concerned about
referrer leakage personally, but I can see good arguments for 'origin'
being a better default than our current state from a privacy perspective.
It'll annoy publishers, of course, but I suppose that's a bit outside the
scope of this directive.

it does seem like something that the user should have
> control over and a browser should be able to have a conservative
> policy for.

I agree. The spec (and <meta referrer> before it) notes that user agents
should feel more than free to limit referrer information in whatever way
they feel appropriate, regardless of the defined referrer policy.

Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 10 February 2014 14:38:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC