W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 8 Nov 2014 14:46:45 -0800
Message-ID: <CALx_OUCvN8scy4YmO__YeTW7y5yKbRLzojHvDeZJYaXHEmUHKQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, eisinger@google.com
Thinking a bit more about this: it's probably more reasonable if
you're hoping to safeguard tokens from ending up in various Referer
analytics reports for unrelated parts of the site (the access to which
may be delegated to people who have no interest in seeing the URLs).

I still feel that if we're adding so much complexity to the directive,
we should probably just bite the bullet and allow people to specify
policies for domains in a CSP fashion, i.e., detailed referrer goes to
*.google.com, *.google.com.pl, *.facebook.com/foo, origin referrer
goes to *, etc. It would let people use analytics across multi-domain
properties while reaping the benefits of a safe default for the rest
of the Internet.

/mz
Received on Saturday, 8 November 2014 22:47:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC