Re: Referrer Policy: Same-origin URIs

Well, theoretically, yes. In practice, usability sometimes trumps that
due to user demand. "Anyone with a link" is a sharing model used by
quite a few services, since the alternative (forcing all participants
of a chat or all collaborators on a document) to register with a
particular website, log in, and have explicit ACLs created... well,
often isn't all that great.


On Sat, Nov 8, 2014 at 3:22 PM, Jim Manico <> wrote:
> Please forgive my (continued) ignorance, but isn't keeping secrets out
> of GET requests the law of the land for secure web application
> development?
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>> On Nov 9, 2014, at 6:48 AM, Michal Zalewski <> wrote:
>> Thinking a bit more about this: it's probably more reasonable if
>> you're hoping to safeguard tokens from ending up in various Referer
>> analytics reports for unrelated parts of the site (the access to which
>> may be delegated to people who have no interest in seeing the URLs).
>> I still feel that if we're adding so much complexity to the directive,
>> we should probably just bite the bullet and allow people to specify
>> policies for domains in a CSP fashion, i.e., detailed referrer goes to
>> *, *, *, origin referrer
>> goes to *, etc. It would let people use analytics across multi-domain
>> properties while reaping the benefits of a safe default for the rest
>> of the Internet.
>> /mz

Received on Saturday, 8 November 2014 23:45:47 UTC