referrer spec and backwards compatibility

Hi

(previously on blink-security-dev
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/-t_-5m6ChDg)

Currently, (I believe) in release versions, Firefox supports the
"origin-when-crossorigin" value for the referrer directive while
Chrome doesn't. Unfortunately, the Chrome implementation of the spec
is "if I don't know the name of the directive value, fall back to the
secure 'none'". This means that as a web application developer, I
can't use origin-when-crossorigin since it would break referrer for
far too many users.

I think the spec should be changed to say "if you don't know the name
of the directive, ignore it". This will allow web application
developers to make the best choice according to what they feel is the
right thing to do. For example, the web application could do:

<meta content="unsafe-url" name="referrer" />
<meta content="origin-when-crossorigin" name="referrer" />

This will allow the app to provide the most protection possibel
without breaking features and not being limited by what version of the
browser the user is relying on.

What do others think?

cheers
Dev

Received on Monday, 9 February 2015 07:33:19 UTC