- From: Glenn Maynard <glenn@zewt.org>
- Date: Tue, 25 Oct 2011 20:59:07 -0400
On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote: > There is a fairly strong security benefit of policing it on document- > or even origin-level: it's exceedingly easy to miss an outgoing link > or a Referer-sending subresource (including <img>, <iframe>, <link > rel=...>) otherwise. > But it has the very problem that it's global, whether you want it or not. Also, the problem is reversed for "always"--you probably *want* to specify that explicitly on a link-by-link basis, since it's loosening the referrer rules rather than tightening them. <meta> could be used to set the default referrer mode, then use rel= consistently with noreferrer. For example, <meta name="referrer" content="noreferrer"> <meta name="referrer" content="alwaysreferrer"> <meta name="referrer" content="originreferrer"> <meta name="referrer" content="defaultreferrer"> This would set the default, which could be overridden with rel: <a rel="noreferrer"> <!-- already works --> <a rel="alwaysreferrer"> <a rel="originreferrer"> <a rel="defaultreferrer"> That would allow using the existing noreferrer feature globally, using the new referrer modes for specific links, setting noreferrer globally and a different mode for specific resources, and so on. On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c at adambarth.com> wrote: > Similarly, it's useful for this feature to apply things besides links, > such as iframes (e.g., advertisements embedded in a social networking > site---see previously mentioned news stories). I can add this > information to the use cases section if that would be helpful. > Are implementors really willing to implement a feature that allows disabling referrers for non-links, though? I'm pretty sure rel=noreferrer's links-only limitation is by design. -- Glenn Maynard
Received on Tuesday, 25 October 2011 17:59:07 UTC