Re: [REFERRER] 3 of 4 policy states are worst than the default from Francois Marier on 2015-08-14 (public-webappsec@w3.org from August 2015)

From: Francois Marier <francois@mozilla.com>
Date: Fri, 14 Aug 2015 16:04:33 -0700
To: public-webappsec@w3.org
Message-ID: <55CE7401.7050207@mozilla.com>

On 05/08/15 12:50 AM, Mike West wrote:
> This behavior is to a large extent the entire point of Referrer Policy.
> If we don't give sites a way around the default behavior or dropping the
> referrer on downgrade, they'll do it themselves via insecure redirects
> (e.g. 't.co <http://t.co>').

Good point, I hadn't considered that. You (and Brad) are right.

> Perhaps we could offer something like what you want as an addition
> (though I'm not sure I understand the use case (nor do I have a good
> naming suggestion)).

I looked into this more carefully and identified three different kinds
of relationships between a page and one of its resources/links:

1. same-origin: e.g. https://example.com/index.html ->
   https://example.com/other.html

2. cross-origin: e.g. https://example.com/index.html ->
   https://example.net/index.html

3. downgrade: e.g. https://example.com/index.html ->
   http://example.net/index.html

Then we have three "levels" of referrer we can send:

- full: e.g. https://example.com/index.html
- origin-only: e.g. https://example.com
- none

Which means that if we wanted to let authors control this fully, we
would allow them to do something like:

  referrer="same-origin=full cross-origin=origin downgrade=none"

I'm not suggesting that we allow authors to use every possible
combination however. I think we can simplify this and only offer the
combinations that make sense:

1. same-origin=none cross-origin=none downgrade=none ("no-referrer")
2. same-origin=full cross-origin=none downgrade=none
3. same-origin=full cross-origin=origin downgrade=none
4. same-origin=full cross-origin=full downgrade=none
("no-referrer-when-downgrade")
5. same-origin=full cross-origin=origin downgrade=origin
("origin-when-cross-origin")
6. same-origin=full cross-origin=full downgrade=origin
7. same-origin=full cross-origin=full downgrade=full ("unsafe-url")

Notes:

- I couldn't think of a use for an author limiting same-origin referrers
to origin, so I didn't include the existing "origin-only" policy.

- Combinations 1 to 4 are all at least as safe as the default one.

- Combinations 2, 3 and 6 are not currently in the spec.

- I'm not sure whether or not we need #6.

- I would personally use #2 or #3 on my sites.

Francois

Received on Friday, 14 August 2015 23:05:03 UTC