This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
For main proposal, see: http://wiki.whatwg.org/wiki/Meta_referrer Further comments: On Tue, 25 Oct 2011, Glenn Maynard wrote: > > It would be nice if this could be done orthogonally to > rel="noreferrer", and in a way that's link-specific instead of > global to the whole page; for example, <a rel="originreferrer">, <a > rel="alwaysreferrer">. > > Also, is this really intended to affect things other than links (eg. > images and other resources)? rel=noreferrer only works on links. > > Also, note noreferrer's effect on "opener", which is probably > appliable here as well: > http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer On Tue, 25 Oct 2011, Michal Zalewski wrote: > > There is a fairly strong security benefit of policing it on > document- or even origin-level: it's exceedingly easy to miss an > outgoing link or a Referer-sending subresource (including <img>, > <iframe>, <link rel=...>) otherwise. > > It's roughly the same reason why we have CSP, even though policing > the markup is theoretically possible without it. On Tue, 25 Oct 2011, Adam Barth wrote: > > Similarly, it's useful for this feature to apply things besides > links, such as iframes (e.g., advertisements embedded in a social > networking site---see previously mentioned news stories). I can add > this information to the use cases section if that would be helpful. Further discussion suggested using <meta> to set the default, and rel="" to overrride it on a per-link basis.
I assume Chrome is interested; anyone else?
Looks like this spec is going to handle it: https://w3c.github.io/webappsec/specs/referrer-policy/
Indeed it does. Also took ownership of the legacy values and such.