W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 13 Feb 2015 00:30:11 -0800
Message-ID: <CAPfop_1bgYQMNEXmoaXQ2JYUciVerEdTtuGsvtSHO-8coW8JxQ@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: public-webappsec@w3.org
How about requiring the page level directive to opt-in to that behavior by
asking it to add a unsafe-allow-override in the referrer policy? Otherwise
any html injection (img say) allows leaking the current uri via a referrer,
which breaks the high level guarantee the referrer policy can provide.
On Feb 12, 2015 11:35 PM, "Francois Marier" <francois@mozilla.com> wrote:

> On 13/02/15 19:08, Devdatta Akhawe wrote:
> > There is a huge advantage to the page wide policy since it makes
> > reasoning about the security of a web application a lot more
> > tractable. I would be worried about letting a local element over-ride
> > the page wide policy
>
> As you point out, this is not part of the pull request, but what I was
> thinking is that the element attribute would take precedence over the
> page policy (at least the one defined in the meta tag, I'm not entirely
> sure where the CSP policy would fit in).
>
> This is important because it allows someone to say:
>
> - no referrer for everything on this page
> - except for this one link to an internal property because we need the
> origin and path
>
> If we have the meta policy take precedence over the policy in each link,
> then the web developer in the above example isn't going to be able to
> use a restrictive global policy.
>
> Francois
>
>
Received on Friday, 13 February 2015 08:30:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC