- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 25 Oct 2011 16:59:38 -0700
On Tue, Oct 25, 2011 at 4:55 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote: >> It would be nice if this could be done orthogonally to rel="noreferrer", and >> in a way that's link-specific instead of global to the whole page; for >> example, <a rel="originreferrer">, <a rel="alwaysreferrer">. > > There is a fairly strong security benefit of policing it on document- > or even origin-level: it's exceedingly easy to miss an outgoing link > or a Referer-sending subresource (including <img>, <iframe>, <link > rel=...>) otherwise. > > It's roughly the same reason why we have CSP, even though policing the > markup is theoretically possible without it. Yeah, it's really easy to forget to tag a link with noreferrer. There have been embarrassing news stories about some popular social networking sites who missed doing the current redirect hack on a link or two and got in privacy hot water. Similarly, it's useful for this feature to apply things besides links, such as iframes (e.g., advertisements embedded in a social networking site---see previously mentioned news stories). I can add this information to the use cases section if that would be helpful. Adam
Received on Tuesday, 25 October 2011 16:59:38 UTC