61576 – Consider adding "scrub-referrer" directive to CSP

RESOLVED LATER 61576

Consider adding "scrub-referrer" directive to CSP

https://bugs.webkit.org/show_bug.cgi?id=61576

Summary Consider adding "scrub-referrer" directive to CSP

Adam Barth

Reported 2011-05-26 16:12:57 PDT

Lots of sensitive information leaks in the Referer header. This paper has a bunch of scary examples: http://w2spconf.com/2011/papers/privacyVsProtection.pdf I'm not sure whether we can scrub the Referer header by default because lots of folks use the Referer header for all kinds of crazy stuff, but we should at least give sites an easy hook for scrubbing it. There probably should be a couple options: 1) Remove header entirely. 2) Strip down the Referer to just the origin.

Attachments
Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2011-10-13 12:44:40 PDT

Maybe in a future version of CSP.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution LATER

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2011-05-26 16:12 PDT

Modified

2011-10-13 12:44 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks

53572

Dependencies

tree graph