Re: [hackers]

From: nzl <>
Date: Sun, 18 Nov 2018 22:46:18 -0800

Hi all,

> Thank you, but I'm not sure what you want us to do with that.
> Is this for mainline integration?

That's my original thought.

> If so, I find it a bit too drastic, some websites don't work without
> the correct referer (mostly with session).

Yes, I've used it for a while now and found many sites not working.

> Some browsers have different "privacy" options like:
> 1. Strip the referer header entirely.
> 2. Only allow it for the same origin domains.
> 3. Allow "crossdomain" referer, but only set the domain part.

I'd like to make such a patch, but now I've found my patch couldn't handle
frames correctly, and I don't know how to fix that. There seems to be no
such an API to get the reference to the target frame in decide-policy
signal handler. So it'll break more sites.

> Of course you can also strip the Referer using a filtering proxy and not do
> this in the browser itself.

That sounds a nice approach.
Received on Mon Nov 19 2018 - 07:46:18 CET

This archive was generated by hypermail 2.3.0 : Mon Nov 19 2018 - 07:48:20 CET