On 2/26/13 6:51 PM, Brian Smith wrote:
>> From
>>
https://wiki.mozilla.org/Privacy/Features/Shortened_HTTP_Referer_header
>
>> 4. Requirements
>>
>> [a] Test plan must be created and implemented [b] Use cases must be
>> clearly outlined and it must be clear how the feature addresses
>> each. [c] Initially, Phase 1 (user-set) should not change default
>> behavior until user initiates change. [d] Default referer behavior
>> for sites should not change until sites activate attenuation
>> features.
>
> Should these requirements be updated?
If you think they're not correct, and you wanna drive work on this
feature, go for it. They're pretty stale (I wrote them probably a year
ago).
> I think we should try to jump straight to making origin-only Referer
> headers the default by removing requirements [c] and [d], in the
> interests of expediency.
>
>[snip]
>
> I disagree with some aspects of the spec. In particular, I think the
> spec. should explicitly mention that the Referer header should be
> limited by whatever user preferences are in effect.
I agree with you here. I think, as with all site-specified configs
(their specs may or may not say how they interact with other features),
the user or user agent can always override the site's policy. My put is
that we should apply multiple layers of referrer policies to a URI in
this "trim down one layer at a time":
1. Start with raw referrer URI (ruri)
2. If there's a site-specific user-set option: strip this policy's
disallowed bits from ruri
3. If there's a browser-global user-set option: strip this policy's
disallowed bits from ruri
4. If there's a browser-global default option: strip this policy's
disallowed bits from ruri
5. If there's a site-specified policy: strip this policy's disallowed
bits from ruri
6. Use whatever's left of ruri
(There's probably a more efficient mechanism to obtain the smallest
allowable referrer, but this was just how I process it in my brain.)
> With that out of the way, I propose that Firefox use the following
> interpretation of the values of the <meta referrer> header:
>
> "never" - As specified in the wiki; do not send the Referer header.
> (This is the current behavior of Firefox for HTTPS -> HTTP
> nagivations.)
>
> "origin" - As specified in the wiki. (This would change Firefox's
> HTTPS -> HTTP behavior to disclose the scheme, host, and port where
> it currently does not do so, and it would change Firefox's behavior
> to disclose less in all other cases.)
>
> "default" - For HTTPS -> HTTP navigations, do not send any Referer
> header; otherwise, treat like "origin". (This discloses less
> information in the Referer header than what is specified in the
> wiki.)
>
> "always" - Same as "origin". (This discloses less information in the
> Referer header than what the wiki recommends.)
>
> any other value (or missing): Same as "default", which is what the
> wiki specifies.
>
> IMPORTANT NOTE: In case it isn't clear, my proposal is suggesting
> that we shorten our default Referer header by default to sends only
> the origin (e.g.
http://example.org:123/ instead of
>
http://example.org:123/path?query#fragment), and that we allow sites
> to opt in to sending the origin for HTTPS -> HTTP navigations.
Can you explain how a site could opt-in to sending the entire referrer?
It seems you're recommending throwing away fragment and path from all
referrers with no way to get it back...
If we're worried about breakage, we could implement something less
abrasive than that now (default policy doesn't change, for example) and
then experiment with changing the defaults. In the short term we would
get controls into the hands of users/add-ons that want them (and sites)
and in the long term we could explore adjusting the default.
-Sid