W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sat, 8 Nov 2014 15:45:00 -0800
Message-ID: <CALx_OUAcTSuBaurxDmS47UpTC3TWrzx6CfGhm1FHx=DED6jJ2g@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
Well, theoretically, yes. In practice, usability sometimes trumps that
due to user demand. "Anyone with a link" is a sharing model used by
quite a few services, since the alternative (forcing all participants
of a chat or all collaborators on a document) to register with a
particular website, log in, and have explicit ACLs created... well,
often isn't all that great.

/mz

On Sat, Nov 8, 2014 at 3:22 PM, Jim Manico <jim.manico@owasp.org> wrote:
> Please forgive my (continued) ignorance, but isn't keeping secrets out
> of GET requests the law of the land for secure web application
> development?
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
>> On Nov 9, 2014, at 6:48 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>>
>> Thinking a bit more about this: it's probably more reasonable if
>> you're hoping to safeguard tokens from ending up in various Referer
>> analytics reports for unrelated parts of the site (the access to which
>> may be delegated to people who have no interest in seeing the URLs).
>>
>> I still feel that if we're adding so much complexity to the directive,
>> we should probably just bite the bullet and allow people to specify
>> policies for domains in a CSP fashion, i.e., detailed referrer goes to
>> *.google.com, *.google.com.pl, *.facebook.com/foo, origin referrer
>> goes to *, etc. It would let people use analytics across multi-domain
>> properties while reaping the benefits of a safe default for the rest
>> of the Internet.
>>
>> /mz
>>
Received on Saturday, 8 November 2014 23:45:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC