W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Jim Manico <jim.manico@owasp.org>
Date: Thu, 12 Feb 2015 06:39:22 +0100
Message-ID: <-2923478337500124117@unknownmsgid>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Just a curious note. Why bother disabling the referrer header? I worry
it's a partial attempt to prevent sensitive data from leaking via HTTP
GET query-strings.

Earlier RFC's recommended that GET's be idempotent and not contain
sensitive data. Is there any possibility that concept could be
enforced somehow?

--
Jim Manico
@Manicode
(808) 652-3805

> On Feb 12, 2015, at 6:21 AM, Francois Marier <francois@mozilla.com> wrote:
>
> It seems like the referrer spec should include (and extend) the
> capability provided by <a> and <area> in the HTML5 spec [1]:
>
>  <a href="http://example.com" rel="noreferrer">Example</a>
>
> I've proposed an initial PR [2] that looks like this:
>
>  <a href="http://example.com" referrer="no-referrer">Example</a>
>
> Of course, we could probably extend this to other elements, but my
> initial goal was to subsume the HTML5 link type.
>
> This new delivery mechanism would allow websites to specify a
> restrictive global policy (via <meta> or CSP) and then override it with
> a more permissive one on a <a> by <a> basis.
>
> Francois
>
> [1]
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
>
> [2] https://github.com/w3c/webappsec/pull/175
>
Received on Thursday, 12 February 2015 05:39:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC