W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] <meta name="referrer">

From: Glenn Maynard <glenn@zewt.org>
Date: Tue, 25 Oct 2011 20:59:07 -0400
Message-ID: <CABirCh-4SK7+Pqohpy-ttcSpoPVigDNXRPUFtbL5PoG83wKtEw@mail.gmail.com>
On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote:

> There is a fairly strong security benefit of policing it on document-
> or even origin-level: it's exceedingly easy to miss an outgoing link
> or a Referer-sending subresource (including <img>, <iframe>, <link
> rel=...>) otherwise.
>

But it has the very problem that it's global, whether you want it or not.
Also, the problem is reversed for "always"--you probably *want* to specify
that explicitly on a link-by-link basis, since it's loosening the referrer
rules rather than tightening them.

<meta> could be used to set the default referrer mode, then use rel=
consistently with noreferrer.  For example,

<meta name="referrer" content="noreferrer">
<meta name="referrer" content="alwaysreferrer">
<meta name="referrer" content="originreferrer">
<meta name="referrer" content="defaultreferrer">

This would set the default, which could be overridden with rel:

<a rel="noreferrer"> <!-- already works --> <a rel="alwaysreferrer"> <a
rel="originreferrer"> <a rel="defaultreferrer">

That would allow using the existing noreferrer feature globally, using the
new referrer modes for specific links, setting noreferrer globally and a
different mode for specific resources, and so on.

On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c at adambarth.com> wrote:

> Similarly, it's useful for this feature to apply things besides links,
> such as iframes (e.g., advertisements embedded in a social networking
> site---see previously mentioned news stories).  I can add this
> information to the use cases section if that would be helpful.
>

Are implementors really willing to implement a feature that allows disabling
referrers for non-links, though?  I'm pretty sure rel=noreferrer's
links-only limitation is by design.

-- 
Glenn Maynard
Received on Tuesday, 25 October 2011 17:59:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC