W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

[REFERRER] Combining referrer policies

From: Ryan Townsend <ryan@ryantownsend.co.uk>
Date: Mon, 27 Jun 2016 11:36:02 +0100
Message-ID: <CAJZ-wwE7yugHeAqVZ_=-oyFnk-3x1xYYJA1dicsUdBO58sj28g@mail.gmail.com>
To: public-webappsec@w3.org
Hi there,

I've just come across the Referrer Policy spec – pleased to see the web is
moving forward with further respecting privacy, this is an area which
definitely goes under

Are there any plans to allow for combining values within a policy?

For example, I may want the following rules:

- Do not serve any Referer header in non-secure requests.
- Serve just the origin when making cross-origin requests.

This way I can provide users with a safe-from-MITM browsing experience,
whilst providing only the basic referral information (origin only) to
secure external sites, ensuring they can identified we're the ones
referring but not which specific paths a given visitor has viewed.

To achieve this, I could hypothetically combine
`no-referrer-when-downgrade` and `origin-when-cross-origin`.

Best Regards,

Ryan Townsend
Received on Wednesday, 29 June 2016 16:43:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC