W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Mike West <mkwst@google.com>
Date: Thu, 12 Feb 2015 08:43:15 +0100
Message-ID: <CAKXHy=f=AVbfptJMn=nZYTOz_qAAKNJPftGpwZcZjyA=jSMy2A@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Feb 12, 2015 at 7:15 AM, Brian Smith <brian@briansmith.org> wrote:
> Francois Marier <francois@mozilla.com> wrote:
>> I've proposed an initial PR [2] that looks like this:
>>
>>   <a href="http://example.com" referrer="no-referrer">Example</a>
>
> I think this is a great idea.

I think so too.

>
>> Of course, we could probably extend this to other elements, but my
>> initial goal was to subsume the HTML5 link type.
>
> I suggest, to start with, extending it to <img> and <iframe>, so that
> the page can control how much of the referrer header is sent to ads.

Sounds good to me.

>
> I made some comments on the PR already, mostly about
> s/no-referrer/none/ to match the rest of the spec.

You'll need to do a bit of work to wire the attribute up to the
referrer-setting mechanisms in the algorithms section. They're
currently operating on the global document-level flag, and don't know
anything about the mechanism you're introducing. You'll need to inject
that policy into the Fetch somehow, which will probably require
changes to HTML. We can monkey-patch them in the spec for the moment,
and then talk to the respective WHATWG and W3C folks.

I wouldn't mind landing this PR as an indication of the direction we'd
like to go in, but please add an issue to the document with some notes
about the spec work that's remaining.

>
> Also, it needs to be defined what happens when the link has <a
> rel=noreferrer referrer=unsafe-url>. I suggest specifying that the
> rel=noreferrer takes precedence.

I agree.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine
Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 12 February 2015 07:44:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC