W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

[Referrer] Adding a referrer attribute delivery mechanism

From: Francois Marier <francois@mozilla.com>
Date: Thu, 12 Feb 2015 18:19:24 +1300
Message-ID: <54DC37DC.20203@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
It seems like the referrer spec should include (and extend) the
capability provided by <a> and <area> in the HTML5 spec [1]:

  <a href="http://example.com" rel="noreferrer">Example</a>

I've proposed an initial PR [2] that looks like this:

  <a href="http://example.com" referrer="no-referrer">Example</a>

Of course, we could probably extend this to other elements, but my
initial goal was to subsume the HTML5 link type.

This new delivery mechanism would allow websites to specify a
restrictive global policy (via <meta> or CSP) and then override it with
a more permissive one on a <a> by <a> basis.

Francois

[1]
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer

[2] https://github.com/w3c/webappsec/pull/175
Received on Thursday, 12 February 2015 05:19:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC