RE: Frame Ancestors and Referrer (Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note) from Tom Ritter on 2014-10-25 (public-webappsec@w3.org from October 2014)

From: Tom Ritter <tom@ritter.vg>
Date: Fri, 24 Oct 2014 21:25:01 -0400
To: Sean Snider <ssnider@yahoo-inc.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, public-webappsec@w3.org, Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <CA+cU71kbZdZr21PxPJLN6feCJYG4im9+Rq3j1gzreE=19Qu7Wg@mail.gmail.com>

On Oct 24, 2014 7:40 PM, "Sean Snider" <ssnider@yahoo-inc.com> wrote:
> I really cannot see a "valid" use-case for "none",

Strong disagree.

> But back to referrer. . . what's the valid use-case for "none"?  Is it
really just about data-leakage?  If that's
> the case, they I'd argue strongly against none, and just allow stripping
down.  Rarely do hostname and scheme
> contain sensitive information, and in that case. . .really the site
itself should be setup differently :P

The forums of any number of community groups are a treasure trove of off
site links. Support Groups (human support, not technical support) for
things like medical conditions (schizophrenia, HIV/AIDS), identity
confusion (people who have not come out yet, gender reassignment), home and
health issues (divorce, financial instability) - all the sorts of things
that community often do not want leaking out into their advertising
profile.  These sites are often separately hosted precisely because people
do not *want* to be using Facebook/Google profiles for these sorts of
things. One can't always hide in the origin.

-tom

Received on Saturday, 25 October 2014 01:25:28 UTC