- From: Glenn Maynard <glenn@zewt.org>
- Date: Tue, 25 Oct 2011 23:41:46 -0400
On Tue, Oct 25, 2011 at 9:16 PM, Adam Barth <w3c at adambarth.com> wrote:
> That's an interesting idea. It certainly integrates the two features
> better. We might need to iterate on the names a bit though.
>
> It's a bit strange to have two levels of defaults. For example,
> suppose you have <meta name="referrer" content="noreferrer"> but then
> <a rel="defaultreferrer">. That's like overriding the one level of
> default to get to a "more" default behavior.
>
This goes away if you call it "standard referrer" or something like that.
Maybe just "referrer"?
("referer-origin", "referer-always", etc. is nicer, but then it looks like
something distinct from "noreferer" instead of items in the same set.)
> Are implementors really willing to implement a feature that allows
> disabling
> > referrers for non-links, though? I'm pretty sure rel=noreferrer's
> > links-only limitation is by design.
>
> I'm an implementor, and I'm interested in implementing this feature. :)
>
It would fully break the basic use cases of Referer--being able to tell what
server is inlining resources on your server and causing it to be hammered,
and being able to do something about it. "rel=originreferer" mode doesn't
have that problem, though.
By the way, does this need to consider CORS and the Origin header for <img
cross-origin>? I'm not fresh on how that works.
--
Glenn Maynard
Received on Tuesday, 25 October 2011 20:41:46 UTC