- From: Francois Marier <francois@mozilla.com>
- Date: Fri, 14 Aug 2015 16:04:33 -0700
- To: public-webappsec@w3.org
On 05/08/15 12:50 AM, Mike West wrote: > This behavior is to a large extent the entire point of Referrer Policy. > If we don't give sites a way around the default behavior or dropping the > referrer on downgrade, they'll do it themselves via insecure redirects > (e.g. 't.co <http://t.co>'). Good point, I hadn't considered that. You (and Brad) are right. > Perhaps we could offer something like what you want as an addition > (though I'm not sure I understand the use case (nor do I have a good > naming suggestion)). I looked into this more carefully and identified three different kinds of relationships between a page and one of its resources/links: 1. same-origin: e.g. https://example.com/index.html -> https://example.com/other.html 2. cross-origin: e.g. https://example.com/index.html -> https://example.net/index.html 3. downgrade: e.g. https://example.com/index.html -> http://example.net/index.html Then we have three "levels" of referrer we can send: - full: e.g. https://example.com/index.html - origin-only: e.g. https://example.com - none Which means that if we wanted to let authors control this fully, we would allow them to do something like: referrer="same-origin=full cross-origin=origin downgrade=none" I'm not suggesting that we allow authors to use every possible combination however. I think we can simplify this and only offer the combinations that make sense: 1. same-origin=none cross-origin=none downgrade=none ("no-referrer") 2. same-origin=full cross-origin=none downgrade=none 3. same-origin=full cross-origin=origin downgrade=none 4. same-origin=full cross-origin=full downgrade=none ("no-referrer-when-downgrade") 5. same-origin=full cross-origin=origin downgrade=origin ("origin-when-cross-origin") 6. same-origin=full cross-origin=full downgrade=origin 7. same-origin=full cross-origin=full downgrade=full ("unsafe-url") Notes: - I couldn't think of a use for an author limiting same-origin referrers to origin, so I didn't include the existing "origin-only" policy. - Combinations 1 to 4 are all at least as safe as the default one. - Combinations 2, 3 and 6 are not currently in the spec. - I'm not sure whether or not we need #6. - I would personally use #2 or #3 on my sites. Francois
Received on Friday, 14 August 2015 23:05:03 UTC