- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 8 Nov 2014 14:38:02 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, eisinger@google.com
> Can we have a referer policy directive that lets the web application > specify the a same-origin URI to use as a referer? Hmm, but the use case you describe sounds a bit dangerous - sounds like you have very powerful capability-bearing URLs that persists in the address bar, but that you don't want to leak to your own origin (your rejected solution #1). But such capability URLs that persist in the address bar are also likely to be accidentally leaked by users when taking screenshots / screencasting, end up in browsing histories, and may end up in crash logs submitted to vendors (Mozilla, for example, collects crash URLs). Now, we're already past the point where Referer policies were simple enough to justify keeping them somewhat separate from CSP, so perhaps they should be just fully CSPized giving you precise control over which origins or domains get which form of the referer header... but this particular special case makes me a bit uncertain. /mz
Received on Saturday, 8 November 2014 22:38:54 UTC