[whatwg] <meta name="referrer">
glenn at zewt.org
Tue Oct 25 17:59:07 PDT 2011
On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf at coredump.cx>wrote:
> There is a fairly strong security benefit of policing it on document-
> or even origin-level: it's exceedingly easy to miss an outgoing link
> or a Referer-sending subresource (including <img>, <iframe>, <link
> rel=...>) otherwise.
But it has the very problem that it's global, whether you want it or not.
Also, the problem is reversed for "always"--you probably *want* to specify
that explicitly on a link-by-link basis, since it's loosening the referrer
rules rather than tightening them.
<meta> could be used to set the default referrer mode, then use rel=
consistently with noreferrer. For example,
<meta name="referrer" content="noreferrer">
<meta name="referrer" content="alwaysreferrer">
<meta name="referrer" content="originreferrer">
<meta name="referrer" content="defaultreferrer">
This would set the default, which could be overridden with rel:
<a rel="noreferrer"> <!-- already works --> <a rel="alwaysreferrer"> <a
rel="originreferrer"> <a rel="defaultreferrer">
That would allow using the existing noreferrer feature globally, using the
new referrer modes for specific links, setting noreferrer globally and a
different mode for specific resources, and so on.
On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c at adambarth.com> wrote:
> Similarly, it's useful for this feature to apply things besides links,
> such as iframes (e.g., advertisements embedded in a social networking
> site---see previously mentioned news stories). I can add this
> information to the use cases section if that would be helpful.
Are implementors really willing to implement a feature that allows disabling
referrers for non-links, though? I'm pretty sure rel=noreferrer's
links-only limitation is by design.
More information about the whatwg