<CAJE5ia8=TgrdZNFqDjRTKcVZvgBzCNCHMzTGaWQsvsQVC0GkVQ@mail.gmail.com>
Current votes: None.
On Tue, Oct 25, 2011 at 5:59 PM, Glenn Maynard <glenn@zewt.org> wrote: > On Tue, Oct 25, 2011 at 7:55 PM, Michal Zalewski <lcamtuf@coredump.cx> > wrote: >> >> There is a fairly strong security benefit of policing it on document- >> or even origin-level: it's exceedingly easy to miss an outgoing link >> or a Referer-sending subresource (including <img>, <iframe>, <link >> rel=3D...>) otherwise. > > But it has the very problem that it's global, whether you want it or not. > Also, the problem is reversed for "always"--you probably *want* to specif= y > that explicitly on a link-by-link basis, since it's loosening the referre= r > rules rather than tightening them. > > <meta> could be used to set the default referrer mode, then use rel=3D > consistently with noreferrer.=A0 For example, > > <meta name=3D"referrer" content=3D"noreferrer"> > <meta name=3D"referrer" content=3D"alwaysreferrer"> > <meta name=3D"referrer" content=3D"originreferrer"> > <meta name=3D"referrer" content=3D"defaultreferrer"> > > This would set the default, which could be overridden with rel: > > <a rel=3D"noreferrer"> <!-- already works --> <a rel=3D"alwaysreferrer"> = <a > rel=3D"originreferrer"> <a rel=3D"defaultreferrer"> > > That would allow using the existing noreferrer feature globally, using th= e > new referrer modes for specific links, setting noreferrer globally and a > different mode for specific resources, and so on. That's an interesting idea. It certainly integrates the two features better. We might need to iterate on the names a bit though. It's a bit strange to have two levels of defaults. For example, suppose you have <meta name=3D"referrer" content=3D"noreferrer"> but then <a rel=3D"defaultreferrer">. That's like overriding the one level of default to get to a "more" default behavior. > On Tue, Oct 25, 2011 at 7:59 PM, Adam Barth <w3c@adambarth.com> wrote: >> Similarly, it's useful for this feature to apply things besides links, >> such as iframes (e.g., advertisements embedded in a social networking >> site---see previously mentioned news stories). =A0I can add this >> information to the use cases section if that would be helpful. > > Are implementors really willing to implement a feature that allows disabl= ing > referrers for non-links, though?=A0 I'm pretty sure rel=3Dnoreferrer's > links-only limitation is by design. I'm an implementor, and I'm interested in implementing this feature. :) If other implementors have an opinions on this topic, now would be a good time to speak up. Adam