W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [referrer] HTTPS->HTTP

From: Brian Smith <brian@briansmith.org>
Date: Fri, 24 Oct 2014 00:03:11 -0700
Message-ID: <CAFewVt6JzyQ1Rx1DY56Y46FEyFmH3vr1GZWzN0VWsW92bm=73Q@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 10:29 PM, Mark Nottingham <mnot@mnot.net> wrote:

> The bigger issue, however, is whether this is a good idea at all. In
> particular, "unsafe-url" removes this prohibition completely, for an
> *entire* page.
>
> This is likely to create a situation where those providing third-party
> functionality want/require referers, so they tell HTTPS sites to set
> "unsafe-url" or face a functional (or financial) penalty; now not only the
> intended content but all other fetches from the page will send a referer.
>
> I understand that there's a delicate balance here; if referers aren't sent
> at all, sites may be reluctant to move to HTTPS (although one might just
> say that the sites they're linking to should move to HTTPS!). The question
> is whether there's a net improvement to Web security.
>
> Arguably, origin-only and origin-when-cross-origin might get that balance
> right; I question whether unsafe-url and always (which isn't
> well-documented, btw) do.
>
> Has this been discussed yet?
>

Mark, if I understand you correctly, then I very much agree with you. See
these messages, and others in that thread:

http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0174.html
http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html

See also:
https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J

Cheers,
Brian
Received on Friday, 24 October 2014 07:03:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC