[Webkit-unassigned] [Bug 61576] New: Consider adding "scrub-referrer" directive to CSP

Thu May 26 16:12:57 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=61576

           Summary: Consider adding "scrub-referrer" directive to CSP
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: abarth at webkit.org
            Blocks: 53572

Lots of sensitive information leaks in the Referer header.  This paper has a bunch of scary examples:

http://w2spconf.com/2011/papers/privacyVsProtection.pdf

I'm not sure whether we can scrub the Referer header by default because lots of folks use the Referer header for all kinds of crazy stuff, but we should at least give sites an easy hook for scrubbing it.  There probably should be a couple options:

1) Remove header entirely.
2) Strip down the Referer to just the origin.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.