On Sun, Feb 9, 2014 at 8:26 PM, Dan Auerbach <[email protected]> wrote:
> Increasing the granularity of referer options seems like a positive
> thing overall and I have no objection to this proposal. However, I'm
> curious if you have empirical evidence to the extent to which sending
> the current host's root keeps certain hosts happy? I ask because my
> intuition is that the vast majority of cases where a referer "needs"
> to be sent occur in requests within the same domain (e.g. CSRF+HTTPS
> protection, hotlinking prevention), and hence setting
> network.http.referer.XOriginPolicy ought to do the trick.
>
> In any case, now that 822869 has finally landed (woo!) it would be
> nice to do some testing to arrive at the most restrictive policy we
> can get away with with a minimum of breakage. I'd love to hear from
> the privacy team at Mozilla about the best way to test and push this
> forward.
Hello friends,
I have written down the beginnings of an improved Referrer policy here:
https://briansmith.org/referrer-01.html
It goes quite far beyond the policy I suggested last year in this
thread. Although I wrote it in a way that is more oriented towards
preventing security problems, it also has (IMNSHO) very good privacy
properties as well.
I believe that now there is sufficient infrastructure in Firefox
Nightly, thanks to Sid Stamm's recent work, to implement such a
policy. Now seems like a great time to do so, especially considering
that the W3C WebAppSec working group is trying to standardize
browsers' referrer policies now; see
https://www.w3.org/TR/referrer-policy/.
I am curious about what others think.
Cheers,
Brian
_______________________________________________
dev-privacy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-privacy
