Intent to ship: Meta Referrer

177 views
Skip to first unread message

sst...@mozilla.com

unread,
Feb 20, 2015, 9:48:55 AM2/20/15
to
Feature Summary:
While the HTTP Referer header can be suppressed for links with the noreferrer link type, authors might wish to control its content more directly for a number of reasons:
* Privacy - stripping the path or blocking referrer entirely on outbound links
* Efficiency - referrer can be manipulated via redirect tricks, but that causes extra web requests
* HTTPS sites might wish to send a referrer to HTTP sites for accounting or track-backs
Using a meta tag, sites can specify a Referrer Policy that dictates how much of the URL is sent as the HTTP Referer header on subresource and outbound links, and also in which cases it is sent. See the draft spec for details.

Status:
* Owen Chu started implementing this two years ago, and we gradually ended up with a working implementation that landed 11/18/2014.
* Most of the code used by the meta referrer feature is also used for Content Security Policy's "referrer" directive.
* Due to oversight, this landed without an "intent to implement".
* One bug (1113431) was reported recently and blocks shipping this feature, but we anticipate fixing it quickly.
* The feature is currently on the 37 train, and I'd like to ship it with Firefox 37.

Draft Spec: https://w3c.github.io/webappsec/specs/referrer-policy/
Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=704320
Note from Spec Editor: https://bugzilla.mozilla.org/show_bug.cgi?id=1113431#c29
UAs supporting this: Chrome, Safari
Sites requesting: Facebook, Yahoo, Google want this
Intended Platform Coverage: all gecko-based platforms

If anyone has concerns or considerations that need addressing before we ship meta referrer, please let us know!

-Sid
Reply all
Reply to author
Forward
0 new messages