Bug 61576 - Consider adding "scrub-referrer" directive to CSP
: Consider adding "scrub-referrer" directive to CSP
Status: RESOLVED LATER
: WebKit
WebCore Misc.
: 528+ (Nightly build)
: All All
: P2 Normal
Assigned To:
:
:
:
: 53572
  Show dependency treegraph
 
Reported: 2011-05-26 16:12 PST by
Modified: 2011-10-13 12:44 PST (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2011-05-26 16:12:57 PST
Lots of sensitive information leaks in the Referer header.  This paper has a bunch of scary examples:

http://w2spconf.com/2011/papers/privacyVsProtection.pdf

I'm not sure whether we can scrub the Referer header by default because lots of folks use the Referer header for all kinds of crazy stuff, but we should at least give sites an easy hook for scrubbing it.  There probably should be a couple options:

1) Remove header entirely.
2) Strip down the Referer to just the origin.
------- Comment #1 From 2011-10-13 12:44:40 PST -------
Maybe in a future version of CSP.