- From: Kristijan Burnik <burnik@chromium.org>
- Date: Wed, 5 Aug 2015 09:01:12 +0200
- To: Francois Marier <francois@mozilla.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAN9L14d9mq8k5zM8h7Rc_CwTVLt1ikrWxmWZ-dUoToXzki++4A@mail.gmail.com>
On Aug 5, 2015 4:08 AM, "Francois Marier" <francois@mozilla.com> wrote: > > Sorry if this has been discussed before, but I was reading the spec from > the point of view of what I'd like to use on my own sites by default and > realized that of the 4 non-default policy states: > > 1. no referrer > 2. origin > 3. origin when cross-origin > 4. unsafe url > > only #1 is as good as the default (no referrer when downgrade) when > looking at HTTPS to HTTP navigations. > > I wouldn't mind using "origin when cross-origin" but I don't want to > leak referrers on HTTP requests so it seems I'm stuck with the default > policy. >From my perspective I would use origin-when-cross-origin without worrying about leaking anything sensitive. Implying that 3rd party sites can only collect stats about my domain name (+protocol, +port) which should be considered safe and probably desirable. Otherwise I would stick with no-referrer when I don't want any 3rd party to collect stats (e.g. a testing domain no one should know about). Assuming I wouldn't need the referrer stats for testing anyway. >From another perspective - and your question reminded me of this - no-referrer-when-downgrade and origin-when-cross-origin are sort of asking for a "no-referrer-when-cross-origin". Sounds like it should be easy to implement too. Only concern is if this would ever prove useful enough to be a policy of choice. It would be nice to hear from the editors about the topic. :-) > > Shouldn't we try to encourage more HTTPS and have all of the policies > (except for unsafe URL of course) be at least as good as the default > one? In other words, shouldn't "origin" and "origin when cross-origin" > also imply "no referrer when downgrade"? > > Francois >
Received on Wednesday, 5 August 2015 21:40:26 UTC