W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Jim Manico <jim.manico@owasp.org>
Date: Sun, 9 Nov 2014 07:22:24 +0800
Message-ID: <-5506870606623837845@unknownmsgid>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
Please forgive my (continued) ignorance, but isn't keeping secrets out
of GET requests the law of the land for secure web application
development?

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Nov 9, 2014, at 6:48 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>
> Thinking a bit more about this: it's probably more reasonable if
> you're hoping to safeguard tokens from ending up in various Referer
> analytics reports for unrelated parts of the site (the access to which
> may be delegated to people who have no interest in seeing the URLs).
>
> I still feel that if we're adding so much complexity to the directive,
> we should probably just bite the bullet and allow people to specify
> policies for domains in a CSP fashion, i.e., detailed referrer goes to
> *.google.com, *.google.com.pl, *.facebook.com/foo, origin referrer
> goes to *, etc. It would let people use analytics across multi-domain
> properties while reaping the benefits of a safe default for the rest
> of the Internet.
>
> /mz
>
Received on Saturday, 8 November 2014 23:22:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC