W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [referrer] HTTPS->HTTP

From: Brian Smith <brian@briansmith.org>
Date: Fri, 24 Oct 2014 00:03:11 -0700
Message-ID: <CAFewVt6JzyQ1Rx1DY56Y46FEyFmH3vr1GZWzN0VWsW92bm=73Q@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 10:29 PM, Mark Nottingham <mnot@mnot.net> wrote:

> The bigger issue, however, is whether this is a good idea at all. In
> particular, "unsafe-url" removes this prohibition completely, for an
> *entire* page.
> This is likely to create a situation where those providing third-party
> functionality want/require referers, so they tell HTTPS sites to set
> "unsafe-url" or face a functional (or financial) penalty; now not only the
> intended content but all other fetches from the page will send a referer.
> I understand that there's a delicate balance here; if referers aren't sent
> at all, sites may be reluctant to move to HTTPS (although one might just
> say that the sites they're linking to should move to HTTPS!). The question
> is whether there's a net improvement to Web security.
> Arguably, origin-only and origin-when-cross-origin might get that balance
> right; I question whether unsafe-url and always (which isn't
> well-documented, btw) do.
> Has this been discussed yet?

Mark, if I understand you correctly, then I very much agree with you. See
these messages, and others in that thread:


See also:

Received on Friday, 24 October 2014 07:03:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC