61576 – Consider adding "scrub-referrer" directive to CSP

Bug 61576 - Consider adding "scrub-referrer" directive to CSP

Summary: Consider adding "scrub-referrer" directive to CSP

Status:	RESOLVED LATER

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	53572
	Show dependency tree / graph

Reported:	2011-05-26 16:12 PDT by Adam Barth
Modified:	2011-10-13 12:44 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Barth 2011-05-26 16:12:57 PDT

Lots of sensitive information leaks in the Referer header.  This paper has a bunch of scary examples:

http://w2spconf.com/2011/papers/privacyVsProtection.pdf

I'm not sure whether we can scrub the Referer header by default because lots of folks use the Referer header for all kinds of crazy stuff, but we should at least give sites an easy hook for scrubbing it.  There probably should be a couple options:

1) Remove header entirely.
2) Strip down the Referer to just the origin.

Comment 1 Adam Barth 2011-10-13 12:44:40 PDT

Maybe in a future version of CSP.