- From: Mike West <mkwst@google.com>
- Date: Fri, 24 Oct 2014 12:15:29 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Jochen Eisinger <eisinger@google.com>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=exv26NYv3TCaEUu2KB++CteYX9gBQ=O3_Sz4+JW1h=ZQ@mail.gmail.com>
Don't services get _more_ referrers when they move to HTTPS? If I was a newspaper, curious about where my users were coming from, I'd totally want to be an HTTPS site; otherwise I'd lose out on referrer information from the default none-when-downgrade behavior. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Fri, Oct 24, 2014 at 12:12 PM, Mark Nottingham <mnot@mnot.net> wrote: > When sites migrate to HTTPS, they lose referers to HTTP third-party > services; I think that’s the friction that Jochen was trying to avoid > (happy to be corrected). > > ‘always’ avoids that friction, but the flip side of the coin is that it > makes it easier for third-party services to remain HTTP-only. > > > > > On 24 Oct 2014, at 9:08 pm, Mike West <mkwst@google.com> wrote: > > > > How does that follow, Mark? > > > > -mike > > > > -- > > Mike West <mkwst@google.com> > > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > > Registergericht und -nummer: Hamburg, HRB 86891 > > Sitz der Gesellschaft: Hamburg > > Geschäftsführer: Graham Law, Christine Elizabeth Flores > > (Sorry; I'm legally required to add this exciting detail to emails. > Bleh.) > > > > On Fri, Oct 24, 2014 at 12:06 PM, Mark Nottingham <mnot@mnot.net> wrote: > > Doesn’t it encourage third-party services to be lazy and stay on > cleartext HTTP? > > > > > > > On 24 Oct 2014, at 9:05 pm, Jochen Eisinger <eisinger@google.com> > wrote: > > > > > > Google uses the "origin" policy on the search result page. > > > > > > I agree that "always" is a two edged sword. From my point of view, the > current default referrer behavior makes sense in a world where everybody is > happy with HTTP, and HTTPS means something like "banking". > > > > > > Today, I think we'd rather have everybody on HTTPS, and I see the > "always" policy as a way to make it easier for web sites to migrate to > HTTPS without punishing them. > > > > > > best > > > -jochen > > > > > > On Fri Oct 24 2014 at 11:56:41 AM Mike West <mkwst@google.com> wrote: > > > +Jochen, who hopefully has a few minutes to think about this before he > disappears into vacationland. > > > > > > -mike > > > > > > -- > > > Mike West <mkwst@google.com> > > > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > > > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > > > Registergericht und -nummer: Hamburg, HRB 86891 > > > Sitz der Gesellschaft: Hamburg > > > Geschäftsführer: Graham Law, Christine Elizabeth Flores > > > (Sorry; I'm legally required to add this exciting detail to emails. > Bleh.) > > > > > > On Fri, Oct 24, 2014 at 9:03 AM, Brian Smith <brian@briansmith.org> > wrote: > > > On Thu, Oct 23, 2014 at 10:29 PM, Mark Nottingham <mnot@mnot.net> > wrote: > > > The bigger issue, however, is whether this is a good idea at all. In > particular, "unsafe-url" removes this prohibition completely, for an > *entire* page. > > > > > > This is likely to create a situation where those providing third-party > functionality want/require referers, so they tell HTTPS sites to set > "unsafe-url" or face a functional (or financial) penalty; now not only the > intended content but all other fetches from the page will send a referer. > > > > > > I understand that there's a delicate balance here; if referers aren't > sent at all, sites may be reluctant to move to HTTPS (although one might > just say that the sites they're linking to should move to HTTPS!). The > question is whether there's a net improvement to Web security. > > > > > > Arguably, origin-only and origin-when-cross-origin might get that > balance right; I question whether unsafe-url and always (which isn't > well-documented, btw) do. > > > > > > Has this been discussed yet? > > > > > > Mark, if I understand you correctly, then I very much agree with you. > See these messages, and others in that thread: > > > > > > http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0174.html > > > http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html > > > > > > See also: > > > > https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J > > > > > > Cheers, > > > Brian > > > > > > > -- > > Mark Nottingham http://www.mnot.net/ > > > > > > > > > > -- > Mark Nottingham http://www.mnot.net/ > > > >
Received on Friday, 24 October 2014 10:16:17 UTC