W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] <meta name="referrer">

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Tue, 25 Oct 2011 16:55:44 -0700
Message-ID: <CALx_OUDegpk3dfzi2z4aZjt_d_wkJzrHz+wiFBf4grsKoWeTtQ@mail.gmail.com>
> It would be nice if this could be done orthogonally to rel="noreferrer", and
> in a way that's link-specific instead of global to the whole page; for
> example, <a rel="originreferrer">, <a rel="alwaysreferrer">.

There is a fairly strong security benefit of policing it on document-
or even origin-level: it's exceedingly easy to miss an outgoing link
or a Referer-sending subresource (including <img>, <iframe>, <link
rel=...>) otherwise.

It's roughly the same reason why we have CSP, even though policing the
markup is theoretically possible without it.

/mz
Received on Tuesday, 25 October 2011 16:55:44 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC