Re: [EXTERNAL] Re: On CURLOPT_AUTOREFERER privacy

2022-10-18 Thread Daniel Stenberg via curl-library
On Mon, 17 Oct 2022, Timothe Litt via curl-library wrote: If we're going forwward with this, the new behavior should be a new option. It can be a new value for the current option, I can tell you didn't look at the PR... -- / daniel.haxx.se | Commercial curl support up to 24x7 is

Re: [EXTERNAL] Re: On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Timothe Litt via curl-library
On 17-Oct-22 16:57, Daniel Stenberg via curl-library wrote: On Mon, 17 Oct 2022, Dmitry Karpov via curl-library wrote: I'm all for adding an option to add the host-only behaviour as an option, but not to make it the default. Yes, I also think that this is the right way to do it. I hear

RE: [EXTERNAL] Re: On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Daniel Stenberg via curl-library
On Mon, 17 Oct 2022, Dmitry Karpov via curl-library wrote: I'm all for adding an option to add the host-only behaviour as an option, but not to make it the default. Yes, I also think that this is the right way to do it. I hear you. Thanks all for the feedback. If we're going forwward with

RE: [EXTERNAL] Re: On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Dmitry Karpov via curl-library
l-library On Behalf Of Dan Fandrich via curl-library Sent: Monday, October 17, 2022 10:17 AM To: curl-library@lists.haxx.se Cc: Dan Fandrich Subject: [EXTERNAL] Re: On CURLOPT_AUTOREFERER privacy On Mon, Oct 17, 2022 at 04:34:05PM +0200, Daniel Stenberg via curl-library wrote: > On Mon, 17 O

Re: On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Dan Fandrich via curl-library
On Mon, Oct 17, 2022 at 04:34:05PM +0200, Daniel Stenberg via curl-library wrote: > On Mon, 17 Oct 2022, Timothe Litt via curl-library wrote: > > > > My initial PR for this work: https://github.com/curl/curl/pull/9750 > > > > > Why change the default behavior? > > For improved privacy. Because

Re: On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Daniel Stenberg via curl-library
On Mon, 17 Oct 2022, Timothe Litt via curl-library wrote: My initial PR for this work: https://github.com/curl/curl/pull/9750 Why change the default behavior? For improved privacy. Because the browsers sort of do it like this. -- / daniel.haxx.se | Commercial curl support up to 24x7 is

Re: On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Timothe Litt via curl-library
On 17-Oct-22 09:46, Daniel Stenberg via curl-library wrote: Hello, When setting the CURLOPT_AUTOREFERER option, libcurl automatically sets the referer: header in following request (like when following redirects) to the URL of the previous transfer. This can be considered a minor privacy

On CURLOPT_AUTOREFERER privacy

2022-10-17 Thread Daniel Stenberg via curl-library
Hello, When setting the CURLOPT_AUTOREFERER option, libcurl automatically sets the referer: header in following request (like when following redirects) to the URL of the previous transfer. This can be considered a minor privacy leak, especially when folllowing requests cross-orgin and to an