[REFERRER] Combining referrer policies from Ryan Townsend on 2016-06-27 (public-webappsec@w3.org from June 2016)

From: Ryan Townsend <ryan@ryantownsend.co.uk>
Date: Mon, 27 Jun 2016 11:36:02 +0100
To: public-webappsec@w3.org
Message-ID: <CAJZ-wwE7yugHeAqVZ_=-oyFnk-3x1xYYJA1dicsUdBO58sj28g@mail.gmail.com>

Hi there,

I've just come across the Referrer Policy spec – pleased to see the web is
moving forward with further respecting privacy, this is an area which
definitely goes under

Are there any plans to allow for combining values within a policy?

For example, I may want the following rules:

- Do not serve any Referer header in non-secure requests.
- Serve just the origin when making cross-origin requests.

This way I can provide users with a safe-from-MITM browsing experience,
whilst providing only the basic referral information (origin only) to
secure external sites, ensuring they can identified we're the ones
referring but not which specific paths a given visitor has viewed.

To achieve this, I could hypothetically combine
`no-referrer-when-downgrade` and `origin-when-cross-origin`.

Best Regards,

Ryan Townsend

Received on Wednesday, 29 June 2016 16:43:40 UTC