W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Sid Stamm <sid@mozilla.com>
Date: Fri, 20 Mar 2015 16:35:33 -0400
Message-ID: <CAP=NJFMmSc8YVDrDJLSd5GUQjY_MxP4wCG4bs_DopdcTo4scSQ@mail.gmail.com>
To: public-webappsec@w3.org
Reviving a thread from a bit more than one month ago:

On Fri, 13 Feb 2015, Brian Smith <brian@briansmith.org> wrote:
>How about this?:

I like your direction here, Brian!

>1. We set the defaults to be strict.
>2. We allow the referrer attribute to make the policy less strict on a
>per-link/subresource basis.

I fully support these first two.  What does this group think of making
the default referrer "origin, but none when downgrade" for
implementing user agents?  Given my choice, I'd love the default to be
no-referrer, but I realize that's a huge change and it seems to me
that "origin" takes care of many privacy concerns here.

>3. The CSP directives are used to specify the maximum amount of
>disclosure of referrer information that everything will be capped at.

I think the referrer directive should define "document default" (much
like what meta referrer does) but I can imagine another directive or
special token in the referrer directive that could make the
CSP-defined policy a cap.  Maybe something like:

  referrer max-policy origin-when-crossorigin

>Then we probably don't even need <meta referrer> at all.

I'm not sure that's the case.  I think many site developers would
still prefer to use a meta referrer to set a blanket default for a
page.  Depending on a server/CDN setup, devs may not be able to
control the CSP per-request or per-document, but still be able to
write meta tags.  I much prefer CSP delivery of a referrer policy, but
there are also use cases for meta tags.

-Sid
Received on Friday, 20 March 2015 20:36:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC