- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 25 Oct 2011 18:16:33 -0700
On Tue, Oct 25, 2011 at 5:59 PM, Glenn Maynard <glenn at zewt.org> wrote: > On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf at coredump.cx> > wrote: >> >> There is a fairly strong security benefit of policing it on document- >> or even origin-level: it's exceedingly easy to miss an outgoing link >> or a Referer-sending subresource (including <img>, <iframe>, <link >> rel=...>) otherwise. > > But it has the very problem that it's global, whether you want it or not. > Also, the problem is reversed for "always"--you probably *want* to specify > that explicitly on a link-by-link basis, since it's loosening the referrer > rules rather than tightening them. > > <meta> could be used to set the default referrer mode, then use rel= > consistently with noreferrer.? For example, > > <meta name="referrer" content="noreferrer"> > <meta name="referrer" content="alwaysreferrer"> > <meta name="referrer" content="originreferrer"> > <meta name="referrer" content="defaultreferrer"> > > This would set the default, which could be overridden with rel: > > <a rel="noreferrer"> <!-- already works --> <a rel="alwaysreferrer"> <a > rel="originreferrer"> <a rel="defaultreferrer"> > > That would allow using the existing noreferrer feature globally, using the > new referrer modes for specific links, setting noreferrer globally and a > different mode for specific resources, and so on. That's an interesting idea. It certainly integrates the two features better. We might need to iterate on the names a bit though. It's a bit strange to have two levels of defaults. For example, suppose you have <meta name="referrer" content="noreferrer"> but then <a rel="defaultreferrer">. That's like overriding the one level of default to get to a "more" default behavior. > On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c at adambarth.com> wrote: >> Similarly, it's useful for this feature to apply things besides links, >> such as iframes (e.g., advertisements embedded in a social networking >> site---see previously mentioned news stories). ?I can add this >> information to the use cases section if that would be helpful. > > Are implementors really willing to implement a feature that allows disabling > referrers for non-links, though?? I'm pretty sure rel=noreferrer's > links-only limitation is by design. I'm an implementor, and I'm interested in implementing this feature. :) If other implementors have an opinions on this topic, now would be a good time to speak up. Adam
Received on Tuesday, 25 October 2011 18:16:33 UTC