Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 23:42, 27 October 2016
, 27 October 2016rewording
(formatting) |
(rewording) |
||
| Line 145: | Line 145: | ||
| style="text-align: center;" | 12 | | style="text-align: center;" | 12 | ||
| Recommended for all websites | | Recommended for all websites | ||
| Improves privacy for users, prevents leaking of internal URLs via Referer | | Improves privacy for users, prevents the leaking of internal URLs via <tt>Referer</tt> header | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | | data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | ||
| Line 547: | Line 547: | ||
= Referrer Policy = | = Referrer Policy = | ||
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform | When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk. HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP <tt>Referer</tt> header. | ||
In normal operation, if a page at https://example.com/page.html contains <tt><img src="https://not.example.com/image.jpg"></tt>, then the browser will send a request like this: | |||
<pre>GET /image/jpg HTTP/1.1 | <pre>GET /image/jpg HTTP/1.1 | ||
| Line 553: | Line 555: | ||
Referer: https://example.com/page.html</pre> | Referer: https://example.com/page.html</pre> | ||
To | In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. To limit the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the <tt>Referer</tt> header entirely, or reduce the amount of information that it contains. | ||
== Directives == | == Directives == | ||
<tt>no-referrer</tt>: never send the | * <tt>no-referrer</tt>: never send the <tt>Referer</tt> header | ||
<tt>same-origin</tt>: send referrer, but only on requests to the same origin | * <tt>same-origin</tt>: send referrer, but only on requests to the same origin | ||
<tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/) | * <tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/) | ||
<tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin | * <tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin | ||
== Notes == | == Notes == | ||
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above. | |||
<tt>no-referrer-when-downgrade</tt> is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation. | |||
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the | Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the directives above, and Firefox awaits full support with Firefox 52. | ||
== Examples == | == Examples == | ||