W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 8 Nov 2014 14:38:02 -0800
Message-ID: <CALx_OUD=nFKNSMkgciSQ8+-zKwR2347J9EJf22oH7zCjzJK_OA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, eisinger@google.com
> Can we have a referer policy directive that lets the web application
> specify the a same-origin URI to use as a referer?

Hmm, but the use case you describe sounds a bit dangerous - sounds
like you have very powerful capability-bearing URLs that persists in
the address bar, but that you don't want to leak to your own origin
(your rejected solution #1).

But such capability URLs that persist in the address bar are also
likely to be accidentally leaked by users when taking screenshots /
screencasting, end up in browsing histories, and may end up in crash
logs submitted to vendors (Mozilla, for example, collects crash URLs).

Now, we're already past the point where Referer policies were simple
enough to justify keeping them somewhat separate from CSP, so perhaps
they should be just fully CSPized giving you precise control over
which origins or domains get which form of the referer header... but
this particular special case makes me a bit uncertain.

/mz
Received on Saturday, 8 November 2014 22:38:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC