Limiting the `referer` header's length. from Mike West on 2019-06-05 (public-webappsec@w3.org from June 2019)

From: Mike West <mkwst@google.com>
Date: Wed, 5 Jun 2019 10:29:39 +0200
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAKXHy=ej7ck+JpVa7tDLFaPEJPE45PwJ33gKYxuh4ZUHyTD+fQ@mail.gmail.com>

Hey folks!

I mentioned https://github.com/whatwg/fetch/issues/903 on the last call,
and I'd like to mention it again. Based on early Chrome telemetry, it looks
like only ~0.01% of requests have a `referer` header longer than ~4k. In
order to whack a specific xsleaks mole
<https://github.com/xsleaks/xsleaks/wiki/Browser-Side-Channels#cache-and-error-events>,
I'd like to strip the header's value down to its origin if it exceeds that
length. My intuition is that this is a safe way to process the header,
which ensures that important parameters, entities, etc. won't be cut off in
the middle.

I've put together a quick PR against Referrer Policy at
https://github.com/w3c/webappsec-referrer-policy/pull/122. I'd appreciate
feedback either there on on the issue noted above. :)

-mike

Received on Wednesday, 5 June 2019 08:30:13 UTC