On 2/26/2013 7:22 PM, Brian Smith wrote:
> Brian Smith wrote:
>> Also note that Google's and Facebook's use of
>> the redirect shows that prohibiting the sending of the Referer
>> header for HTTPS -> HTTP cases for values "origin" and "always" is
>> not really a way to enforce privacy-preserving behavior.
> Also, note that Google and Facebook must redirect to a *non-HTTPS* location for this hack to work. So, implementing my proposal should make it easier for them to switch on HSTS (Strict Transport Security) on more of their domains, and it should eliminate unnecessary HTTPS -> HTTP -> HTTPS transitions (e.g. https://facebook.com/ -> http://facebook.com?redirectTo=https://example.org -> https://example.org) in many cases. (Currently on facebook.com and google.com, a passive MitM cannot learn the target URL and an active MitM can alter the target of your link click.)
> So, I think this proposal is +1 security, +1 performance, and +1 privacy, though with unknown compatibility risk.
This is definitely an interesting feature and one that I'd like to see
us tackle with Firefox.
I agree that this is +1 security, performance, and privacy and I think
we s could mitigate and manage compatibility better if our initial
approach was simply to implement the feature for websites (and perhaps
Firefox users through a preference setting) without actually changing
the default way Firefox handles referrers.
Over time, and as we learn more about the impact of the changes, we can
consider changing Firefox's default behavior.