Bug 61576

Summary: Consider adding "scrub-referrer" directive to CSP
Product: WebKit Reporter: Adam Barth <abarth>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED LATER    
Severity: Normal CC: dpranke, dveditz, jochen
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 53572    

Description Adam Barth 2011-05-26 16:12:57 PDT 
Lots of sensitive information leaks in the Referer header.  This paper has a bunch of scary examples:

http://w2spconf.com/2011/papers/privacyVsProtection.pdf

I'm not sure whether we can scrub the Referer header by default because lots of folks use the Referer header for all kinds of crazy stuff, but we should at least give sites an easy hook for scrubbing it.  There probably should be a couple options:

1) Remove header entirely.
2) Strip down the Referer to just the origin.
Comment 1 Adam Barth 2011-10-13 12:44:40 PDT 
Maybe in a future version of CSP.