W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Brian Smith <brian@briansmith.org>
Date: Fri, 13 Feb 2015 10:50:27 -0800
Message-ID: <CAFewVt7msb6yWS932uPyxEr9+-hHCum=oyoNvOL_jy1W8FUxbg@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Francois Marier <francois@mozilla.com> wrote:
> On 13/02/15 21:30, Devdatta Akhawe wrote:
>> How about requiring the page level directive to opt-in to that behavior
>> by asking it to add a unsafe-allow-override in the referrer policy?
>> Otherwise any html injection (img say) allows leaking the current uri
>> via a referrer, which breaks the high level guarantee the referrer
>> policy can provide.
>
> Ah, good point about injections. The usual answer to injection problems
> is to "use CSP" so maybe the CSP policy should be a non-overridable
> global policy while the <meta> would be overridable?

How about this?:

1. We set the defaults to be strict.
2. We allow the referrer attribute to make the policy less strict on a
per-link/subresource basis.
3. The CSP directives are used to specify the maximum amount of
disclosure of referrer information that everything will be capped at.

Then we probably don't even need <meta referrer> at all.

This is part of what I described at
https://briansmith.org/referrer-01, except I abused the "rel"
attribute instead of introducing a new "referrer" attribute.

Cheers,
Brian
Received on Friday, 13 February 2015 18:50:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC