W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [REFERRER] 3 of 4 policy states are worst than the default

From: Kristijan Burnik <burnik@chromium.org>
Date: Wed, 5 Aug 2015 09:01:12 +0200
Message-ID: <CAN9L14d9mq8k5zM8h7Rc_CwTVLt1ikrWxmWZ-dUoToXzki++4A@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: public-webappsec@w3.org
On Aug 5, 2015 4:08 AM, "Francois Marier" <francois@mozilla.com> wrote:
>
> Sorry if this has been discussed before, but I was reading the spec from
> the point of view of what I'd like to use on my own sites by default and
> realized that of the 4 non-default policy states:
>
> 1. no referrer
> 2. origin
> 3. origin when cross-origin
> 4. unsafe url
>
> only #1 is as good as the default (no referrer when downgrade) when
> looking at HTTPS to HTTP navigations.
>
> I wouldn't mind using "origin when cross-origin" but I don't want to
> leak referrers on HTTP requests so it seems I'm stuck with the default
> policy.

>From my perspective I would use origin-when-cross-origin without worrying
about leaking anything sensitive. Implying that 3rd party sites can only
collect stats about my domain name (+protocol, +port) which should be
considered safe and probably desirable. Otherwise I would stick with
no-referrer when I don't want any 3rd party to collect stats (e.g. a
testing domain no one should know about). Assuming I wouldn't need the
referrer stats for testing anyway.

>From another perspective - and your question reminded me of this -
no-referrer-when-downgrade and origin-when-cross-origin are sort of asking
for a "no-referrer-when-cross-origin". Sounds like it should be easy to
implement too. Only concern is if this would ever prove useful enough to be
a policy of choice.

It would be nice to hear from the editors about the topic.  :-)

>
> Shouldn't we try to encourage more HTTPS and have all of the policies
> (except for unsafe URL of course) be at least as good as the default
> one? In other words, shouldn't "origin" and "origin when cross-origin"
> also imply "no referrer when downgrade"?
>
> Francois
>
Received on Wednesday, 5 August 2015 21:40:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC