61576 2011-05-26 16:12:57 -0700 Consider adding "scrub-referrer" directive to CSP 2011-10-13 12:44:40 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED LATER P2 Normal --- 53572 1 abarth webkit-unassigned dpranke dveditz jochen oldest_to_newest 410966 0 abarth 2011-05-26 16:12:57 -0700 Lots of sensitive information leaks in the Referer header. This paper has a bunch of scary examples: http://w2spconf.com/2011/papers/privacyVsProtection.pdf I'm not sure whether we can scrub the Referer header by default because lots of folks use the Referer header for all kinds of crazy stuff, but we should at least give sites an easy hook for scrubbing it. There probably should be a couple options: 1) Remove header entirely. 2) Strip down the Referer to just the origin. 483403 1 abarth 2011-10-13 12:44:40 -0700 Maybe in a future version of CSP.