W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sat, 8 Nov 2014 18:37:49 -0800
Message-ID: <CAPfop_3E-5m+TPr5UbAtTk3EO_P=fT=mqgP4X5suL-vEsasOMA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
> I agree. But, aren't analytics and ad conversion trackers usually
> third-party services, such that they wouldn't be covered by your
> proposal, which is restricted to same-origin?

Unfortunately no. Analytics often run as scripts in the origin of the
page. Google Analytics is one famous example. Yes, this is bad; this
is why we should have sub-origins and SRI :)

To be clear, I am proposing that the "value of the referer" can be a
URI that is same-origin. Where the referer then flows depends on the
target URI of the request---it can be cross-origin or same-origin.

> That syntax is more than you need, and more error-prone than you need.

You are right. I should have been more clearer. As you point out, I am
only asking for:

> https://example.com/ (equivalent to 'origin')
> https://example.com/a/
> https://example.com/a/b/
> https://example.com/a/b/c/
> https://example.com/a/b/c/d/

Received on Sunday, 9 November 2014 02:38:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC