- From: Jim Manico <jim.manico@owasp.org>
- Date: Thu, 12 Feb 2015 06:39:22 +0100
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Just a curious note. Why bother disabling the referrer header? I worry it's a partial attempt to prevent sensitive data from leaking via HTTP GET query-strings. Earlier RFC's recommended that GET's be idempotent and not contain sensitive data. Is there any possibility that concept could be enforced somehow? -- Jim Manico @Manicode (808) 652-3805 > On Feb 12, 2015, at 6:21 AM, Francois Marier <francois@mozilla.com> wrote: > > It seems like the referrer spec should include (and extend) the > capability provided by <a> and <area> in the HTML5 spec [1]: > > <a href="http://example.com" rel="noreferrer">Example</a> > > I've proposed an initial PR [2] that looks like this: > > <a href="http://example.com" referrer="no-referrer">Example</a> > > Of course, we could probably extend this to other elements, but my > initial goal was to subsume the HTML5 link type. > > This new delivery mechanism would allow websites to specify a > restrictive global policy (via <meta> or CSP) and then override it with > a more permissive one on a <a> by <a> basis. > > Francois > > [1] > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer > > [2] https://github.com/w3c/webappsec/pull/175 >
Received on Thursday, 12 February 2015 05:39:50 UTC