Re: [Referrer] Adding a referrer attribute delivery mechanism

Just a curious note. Why bother disabling the referrer header? I worry
it's a partial attempt to prevent sensitive data from leaking via HTTP
GET query-strings.

Earlier RFC's recommended that GET's be idempotent and not contain
sensitive data. Is there any possibility that concept could be
enforced somehow?

--
Jim Manico
@Manicode
(808) 652-3805

> On Feb 12, 2015, at 6:21 AM, Francois Marier <francois@mozilla.com> wrote:
>
> It seems like the referrer spec should include (and extend) the
> capability provided by <a> and <area> in the HTML5 spec [1]:
>
>  <a href="http://example.com" rel="noreferrer">Example</a>
>
> I've proposed an initial PR [2] that looks like this:
>
>  <a href="http://example.com" referrer="no-referrer">Example</a>
>
> Of course, we could probably extend this to other elements, but my
> initial goal was to subsume the HTML5 link type.
>
> This new delivery mechanism would allow websites to specify a
> restrictive global policy (via <meta> or CSP) and then override it with
> a more permissive one on a <a> by <a> basis.
>
> Francois
>
> [1]
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
>
> [2] https://github.com/w3c/webappsec/pull/175
>

Received on Thursday, 12 February 2015 05:39:50 UTC