W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 8 Nov 2014 14:39:55 -0800
Message-ID: <CALx_OUDDhAmo+BkWYF7QtL+uc2XHF+Upb=HPAcWyk-vtRxv+vw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, eisinger@google.com
> But such capability URLs that persist in the address bar are also
> likely to be accidentally leaked by users when taking screenshots /
> screencasting, end up in browsing histories, and may end up in crash
> logs submitted to vendors (Mozilla, for example, collects crash URLs).

Oops, I didn't finish this tought: my point was that if they are
sensitive enough to need protection from their own origin, perhaps
it'd be best not to keep them in long-lived URLs because of these
other risks?

/mz
Received on Saturday, 8 November 2014 22:40:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC