W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Referrer Policy: Same-origin URIs

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 9 Nov 2014 20:45:00 -0800
Message-ID: <CAPfop_1u5o6a=x7t7HjKxpi__XvRC6dUvAK0hmrm5MWZQ47QRg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
>
> I believe Google Analytics can be contained in an iframe sandbox
> already, if one "just" writes a wrapper around it that uses the GA API

easier said than done ;)

And GA is just one example.

> Your example use case was a help page that is linked to from a secret
> URL, where you don't want the secret URL to be leaked to analytics or
> ads via document.referrer, right? Isn't this use case already covered
> decently by these two existing mechanisms:

Sure. All problems have some sort of hacky painful solution right now.
XSS also can be solved with sanitization/validation; why do we need
CSP? Sub-origins can be achieved with a caja or iframe sandboxing. But
CSP and sub-origins allow security engineers to reason about their
applications and its security. Similarly, the referer directive. Of
course we can solve problems without the referer directive---that's
what everyone is doing right now. That doesn't mean it is a robust
or ideal solution.

> more in line with the extensible web idea of letting web content take
> control over what it does while adding fewer new things to browsers.

Sorry but I strongly disagree. The extensible web manifesto is
definitely not about adding fewer new things to browsers. Quite the
opposite actually. If anything, the extensible web manifesto would
likely suggest that it shouldn't just be that I am allowed to set the
referer policy as a URI; I should be allowed to set it via a
ServiceWorker that looks at the page context and can make a decision
for each individual request. And even with such a feature, extensible
web manifesto definitely does not preclude the creation of new (even
declarative) features for ease of use.

cheers
Dev
Received on Monday, 10 November 2014 04:45:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC