This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 22675 - Features to control the "Referer" header
Summary: Features to control the "Referer" header
Status: RESOLVED WORKSFORME
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 enhancement
Target Milestone: Needs Impl Interest
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-15 23:05 UTC by Ian 'Hixie' Hickson
Modified: 2015-08-07 16:25 UTC (History)
4 users (show)

See Also:


Attachments

Description Ian 'Hixie' Hickson 2013-07-15 23:05:10 UTC
For main proposal, see: http://wiki.whatwg.org/wiki/Meta_referrer

Further comments:

On Tue, 25 Oct 2011, Glenn Maynard wrote:
>
> It would be nice if this could be done orthogonally to
> rel="noreferrer", and in a way that's link-specific instead of
> global to the whole page; for example, <a rel="originreferrer">, <a
> rel="alwaysreferrer">.
>
> Also, is this really intended to affect things other than links (eg.
> images and other resources)? rel=noreferrer only works on links.
>
> Also, note noreferrer's effect on "opener", which is probably
> appliable here as well:
> http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer

On Tue, 25 Oct 2011, Michal Zalewski wrote:
>
> There is a fairly strong security benefit of policing it on
> document- or even origin-level: it's exceedingly easy to miss an
> outgoing link or a Referer-sending subresource (including <img>,
> <iframe>, <link rel=...>) otherwise.
>
> It's roughly the same reason why we have CSP, even though policing
> the markup is theoretically possible without it.

On Tue, 25 Oct 2011, Adam Barth wrote:
>
> Similarly, it's useful for this feature to apply things besides
> links, such as iframes (e.g., advertisements embedded in a social
> networking site---see previously mentioned news stories). I can add
> this information to the use cases section if that would be helpful.

Further discussion suggested using <meta> to set the default, and rel="" to overrride it on a per-link basis.
Comment 1 Ian 'Hixie' Hickson 2013-11-12 22:48:33 UTC
I assume Chrome is interested; anyone else?
Comment 2 Ian 'Hixie' Hickson 2014-07-22 17:21:34 UTC
Looks like this spec is going to handle it:
   https://w3c.github.io/webappsec/specs/referrer-policy/
Comment 3 Anne 2015-08-07 16:25:20 UTC
Indeed it does. Also took ownership of the legacy values and such.