Brian Smith wrote, On 05.12.2014 04:30: > https://briansmith.org/referrer-01.html > https://www.w3.org/TR/referrer-policy/
Thanks, Brian, for taking on this problem. You're saying, simplified: 1. Within the same origin, you will send the entire URL as Referer. 2. Outside the origin, there'll be no Referer at all, 3. unless it's for image and JS loads within the page, and there you send only the hostname instead of the entire URL. The policy makes sense. I support it entirely. Going forward, I think Referer should be dropped entirely. 1. CSRF Launchpad and MDN maintain that they need the Referer to prevent Cross-Site Request Forgery (CSRF). Your policy will hopefully keep them working, because the referer within the same site is sent. We'll have to look out for OpenID etc.. https://bugzilla.mozilla.org/show_bug.cgi?id=446344#c58 I think what sites need is just an enum: Only one of the values: "Same-Host", "Same-Domain", "Cross-site". Either way, we need to think about giving sites another way to avoid the attacks. Referer gives them that, but there are plenty of alternate approaches. It may not need to use Origin at all, but be an entirely different way. For the site, it's just important that it's automatic across their site, that they don't have to adapt each and every form on their site. _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
