[whatwg] <meta name="referrer">

Adam Barth w3c at adambarth.com
Tue Oct 25 18:16:33 PDT 2011


On Tue, Oct 25, 2011 at 5:59 PM, Glenn Maynard <glenn at zewt.org> wrote:
> On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf at coredump.cx>
> wrote:
>>
>> There is a fairly strong security benefit of policing it on document-
>> or even origin-level: it's exceedingly easy to miss an outgoing link
>> or a Referer-sending subresource (including <img>, <iframe>, <link
>> rel=...>) otherwise.
>
> But it has the very problem that it's global, whether you want it or not.
> Also, the problem is reversed for "always"--you probably *want* to specify
> that explicitly on a link-by-link basis, since it's loosening the referrer
> rules rather than tightening them.
>
> <meta> could be used to set the default referrer mode, then use rel=
> consistently with noreferrer.  For example,
>
> <meta name="referrer" content="noreferrer">
> <meta name="referrer" content="alwaysreferrer">
> <meta name="referrer" content="originreferrer">
> <meta name="referrer" content="defaultreferrer">
>
> This would set the default, which could be overridden with rel:
>
> <a rel="noreferrer"> <!-- already works --> <a rel="alwaysreferrer"> <a
> rel="originreferrer"> <a rel="defaultreferrer">
>
> That would allow using the existing noreferrer feature globally, using the
> new referrer modes for specific links, setting noreferrer globally and a
> different mode for specific resources, and so on.

That's an interesting idea.  It certainly integrates the two features
better.  We might need to iterate on the names a bit though.

It's a bit strange to have two levels of defaults.  For example,
suppose you have <meta name="referrer" content="noreferrer"> but then
<a rel="defaultreferrer">.  That's like overriding the one level of
default to get to a "more" default behavior.

> On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c at adambarth.com> wrote:
>> Similarly, it's useful for this feature to apply things besides links,
>> such as iframes (e.g., advertisements embedded in a social networking
>> site---see previously mentioned news stories).  I can add this
>> information to the use cases section if that would be helpful.
>
> Are implementors really willing to implement a feature that allows disabling
> referrers for non-links, though?  I'm pretty sure rel=noreferrer's
> links-only limitation is by design.

I'm an implementor, and I'm interested in implementing this feature.  :)

If other implementors have an opinions on this topic, now would be a
good time to speak up.

Adam



More information about the whatwg mailing list