- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Tue, 25 Oct 2011 16:55:44 -0700
> It would be nice if this could be done orthogonally to rel="noreferrer", and > in a way that's link-specific instead of global to the whole page; for > example, <a rel="originreferrer">, <a rel="alwaysreferrer">. There is a fairly strong security benefit of policing it on document- or even origin-level: it's exceedingly easy to miss an outgoing link or a Referer-sending subresource (including <img>, <iframe>, <link rel=...>) otherwise. It's roughly the same reason why we have CSP, even though policing the markup is theoretically possible without it. /mz
Received on Tuesday, 25 October 2011 16:55:44 UTC