[Referrer] Adding a referrer attribute delivery mechanism

It seems like the referrer spec should include (and extend) the
capability provided by <a> and <area> in the HTML5 spec [1]:

  <a href="http://example.com" rel="noreferrer">Example</a>

I've proposed an initial PR [2] that looks like this:

  <a href="http://example.com" referrer="no-referrer">Example</a>

Of course, we could probably extend this to other elements, but my
initial goal was to subsume the HTML5 link type.

This new delivery mechanism would allow websites to specify a
restrictive global policy (via <meta> or CSP) and then override it with
a more permissive one on a <a> by <a> basis.

Francois

[1]
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer

[2] https://github.com/w3c/webappsec/pull/175

Received on Thursday, 12 February 2015 05:19:57 UTC