Re: [whatwg] getting rid of anonymizing redirects
Okay. I assumed more granular control would be needed but if not then this works great. Thanks, Peter From: Ilya Grigorik Date: Wednesday, October 8, 2014 at 11:43 AM To: Peter Lepeska Cc: Chris Bentzel , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects On Wed, Oct 8, 2014 at 11:36 AM, Peter Lepeska wrote: > Does this have implications for resource hints? Do we want the ability to > specify ³noreferrer² for prerendered pages? Currently noreferrer only applies > to the tag. My understanding is that you set a global policy, which would apply to all requests: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-ref errer e.g. Content-Security-Policy: referrer no-referrer; (or equivalent meta element) ig
Re: [whatwg] getting rid of anonymizing redirects
Great thanks Boris! On 10/7/14, 11:49 PM, "Boris Zbarsky" wrote: >On 10/7/14, 11:39 AM, Glenn Maynard wrote: >> Firefox has had a ticket open for this for about half a >> decade > >It's fixed and the fix is shipping in Firefox 33 in a week. > >-Boris
Re: [whatwg] getting rid of anonymizing redirects
Understood and thanks for the explanation. Does this have implications for resource hints? Do we want the ability to specify ³noreferrer² for prerendered pages? Currently noreferrer only applies to the tag. Thanks, Peter From: Ilya Grigorik Date: Tuesday, October 7, 2014 at 6:13 PM To: Peter Lepeska Cc: Chris Bentzel , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects On Tue, Oct 7, 2014 at 8:28 AM, Peter Lepeska wrote: > Looks like this is already supported: > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer. > > Just need to educate web developers to you use it. It's a bit more complicated. The redirector use case has many dimensions: a) site wants to anonymize the referrer (and do so reliably across all UAs) b) site wants to log the navigation for analytics (sync XHR = bad, has limited support, Beacon is FF/Chrome only) c) site wants to log native-app visits and add "attribution" to their native app - e.g. G+ app clicks are shown as plus.google.com <http://plus.google.com> in referrer logs. In theory, (a) and (b) are addressed by new APIs. In practice, due to old UAs + implementation differences, redirector is *way* easier - don't have to perform UA detects, etc. (c) is a whole different story.. and the reason many teams like the redirector route is that it allows them to reuse the same path for web and native. To be clear, I'm not endorsing the pattern.. I'd love get rid of it. That said, just want to relay the feedback I've received in the past. - we need referrer logic implemented consistently. - we need Beacon available in all browsers. Also, preconnect support can also help speed things up for redirector case: http://w3c.github.io/resource-hints/#anonymizing-redirect-preconnect ig
Re: [whatwg] getting rid of anonymizing redirects
Thanks Glenn. Do you happen to have a list of which browsers support it and which do not? Thanks, Peter From: Glenn Maynard Date: Tuesday, October 7, 2014 at 10:00 AM To: Peter Lepeska Cc: Chris Bentzel , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska wrote: > Hi Chris, > > Looks like this is already supported: > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer. > > Just need to educate web developers to you use it. People don't use it because it's not supported in most browsers. It's too bad, since "link anonymizers" are terrible and the lack of this feature is causing them to continue to be used. -- Glenn Maynard
Re: [whatwg] getting rid of anonymizing redirects
Hi Chris, Looks like this is already supported: https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer. Just need to educate web developers to you use it. Peter From: Chris Bentzel Date: Tuesday, October 7, 2014 at 8:07 AM To: Peter Lepeska , WHAT Working Group , Subject: Re: getting rid of anonymizing redirects There's meta referrer on the document. Combining this with or Beacon for click tracking may remove many of the needs for redirects. Or do you want something that is per-link rather than per-document? On Tue Oct 07 2014 at 7:59:51 AM Peter Lepeska wrote: > All, > > Some web site developers use redirects to strip out referrer headers from > requests issued from users clicking links on their site. This causes a > blocking round trip and so has a really big impact on web performance. > > Can we give developers an alternative to this technique that will not incur a > performance penalty? For instance, can linkable elements support a > ³no-referrer² attribute or something similar? > > Thanks, > > Peter
Re: [whatwg] getting rid of anonymizing redirects
Thank you! From: Delfi Ramirez Organization: Segonquart Studio Date: Tuesday, October 7, 2014 at 8:20 AM To: Anne van Kesteren Cc: Peter Lepeska , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects Thank you vm, Anne Van --- Delfi Ramirez My digital signature <http://delfiramirez.info/public/dr_public_key.asc> +34 633 589231 del...@segonquart.net twitter: delfinramirez IRC: segonquart Skype: segonquart http://segonquart.net http://delfiramirez.info <http://delfiramirez.info> On 2014-10-07 14:06, Anne van Kesteren wrote: > On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska wrote: >> Some web site developers use redirects to strip out referrer headers from >> requests issued from users clicking links on their site. This causes a >> blocking round trip and so has a really big impact on web performance. Can we >> give developers an alternative to this technique that will not incur a >> performance penalty? For instance, can linkable elements support a >> ³no-referrer² attribute or something similar? > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrerhttp > ://w3c.github.io/webappsec/specs/referrer-policy/
[whatwg] getting rid of anonymizing redirects
All, Some web site developers use redirects to strip out referrer headers from requests issued from users clicking links on their site. This causes a blocking round trip and so has a really big impact on web performance. Can we give developers an alternative to this technique that will not incur a performance penalty? For instance, can linkable elements support a ³no-referrer² attribute or something similar? Thanks, Peter
