W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] <meta name="referrer">

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 25 Oct 2011 16:59:38 -0700
Message-ID: <CAJE5ia9Cj4KwqTcY94uKVwKFYYoe5imnObTx5LS5VjBmoR0LOw@mail.gmail.com>
On Tue, Oct 25, 2011 at 4:55 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> It would be nice if this could be done orthogonally to rel="noreferrer", and
>> in a way that's link-specific instead of global to the whole page; for
>> example, <a rel="originreferrer">, <a rel="alwaysreferrer">.
>
> There is a fairly strong security benefit of policing it on document-
> or even origin-level: it's exceedingly easy to miss an outgoing link
> or a Referer-sending subresource (including <img>, <iframe>, <link
> rel=...>) otherwise.
>
> It's roughly the same reason why we have CSP, even though policing the
> markup is theoretically possible without it.

Yeah, it's really easy to forget to tag a link with noreferrer.  There
have been embarrassing news stories about some popular social
networking sites who missed doing the current redirect hack on a link
or two and got in privacy hot water.

Similarly, it's useful for this feature to apply things besides links,
such as iframes (e.g., advertisements embedded in a social networking
site---see previously mentioned news stories).  I can add this
information to the use cases section if that would be helpful.

Adam
Received on Tuesday, 25 October 2011 16:59:38 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC