[whatwg] <meta name="referrer">
Michal Zalewski
lcamtuf at coredump.cx
Tue Oct 25 16:55:44 PDT 2011
> It would be nice if this could be done orthogonally to rel="noreferrer", and
> in a way that's link-specific instead of global to the whole page; for
> example, <a rel="originreferrer">, <a rel="alwaysreferrer">.
There is a fairly strong security benefit of policing it on document-
or even origin-level: it's exceedingly easy to miss an outgoing link
or a Referer-sending subresource (including <img>, <iframe>, <link
rel=...>) otherwise.
It's roughly the same reason why we have CSP, even though policing the
markup is theoretically possible without it.
/mz
More information about the whatwg
mailing list