W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

[REFERRER] 3 of 4 policy states are worst than the default

From: Francois Marier <francois@mozilla.com>
Date: Tue, 04 Aug 2015 19:06:09 -0700
Message-ID: <55C16F91.5060800@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Sorry if this has been discussed before, but I was reading the spec from
the point of view of what I'd like to use on my own sites by default and
realized that of the 4 non-default policy states:

1. no referrer
2. origin
3. origin when cross-origin
4. unsafe url

only #1 is as good as the default (no referrer when downgrade) when
looking at HTTPS to HTTP navigations.

I wouldn't mind using "origin when cross-origin" but I don't want to
leak referrers on HTTP requests so it seems I'm stuck with the default
policy.

Shouldn't we try to encourage more HTTPS and have all of the policies
(except for unsafe URL of course) be at least as good as the default
one? In other words, shouldn't "origin" and "origin when cross-origin"
also imply "no referrer when downgrade"?

Francois
Received on Wednesday, 5 August 2015 02:06:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC