W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2011

[whatwg] <meta name="referrer">

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 25 Oct 2011 20:46:17 -0700
Message-ID: <CAJE5ia8g6v_SWcqPqyBnrmBTtk5azRDibH1jGSBXE2JT+gqRug@mail.gmail.com>
On Tue, Oct 25, 2011 at 8:41 PM, Glenn Maynard <glenn at zewt.org> wrote:
> On Tue, Oct 25, 2011 at 9:16 PM, Adam Barth <w3c at adambarth.com> wrote:
>> > Are implementors really willing to implement a feature that allows
>> > disabling
>> > referrers for non-links, though?? I'm pretty sure rel=noreferrer's
>> > links-only limitation is by design.
>>
>> I'm an implementor, and I'm interested in implementing this feature. ?:)
>
> It would fully break the basic use cases of Referer--being able to tell what
> server is inlining resources on your server and causing it to be hammered,
> and being able to do something about it.? "rel=originreferer" mode doesn't
> have that problem, though.

It's a matter of weighing the privacy and security benefits against
the costs to that use case.  If you're interested in that use case,
you might be interested in Anne's From-Origin proposal, which
addresses it head-on.

(BTW, I don't agree that use case is "the" basic use case for Referer,
but that's a matter of opinion.)

> By the way, does this need to consider CORS and the Origin header for <img
> cross-origin>?? I'm not fresh on how that works.

Nope.  The two do not interact.

Adam
Received on Tuesday, 25 October 2011 20:46:17 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:37 UTC