Brian Smith wrote:
> Also note that Google's and Facebook's use of
> the redirect shows that prohibiting the sending of the Referer
> header for HTTPS -> HTTP cases for values "origin" and "always" is
> not really a way to enforce privacy-preserving behavior.
Also, note that Google and Facebook must redirect to a *non-HTTPS* location for this hack to work. So, implementing my proposal should make it easier for them to switch on HSTS (Strict Transport Security) on more of their domains, and it should eliminate unnecessary HTTPS -> HTTP -> HTTPS transitions (e.g. https://facebook.com/ -> http://facebook.com?redirectTo=https://example.org -> https://example.org) in many cases. (Currently on facebook.com and google.com, a passive MitM cannot learn the target URL and an active MitM can alter the target of your link click.)
So, I think this proposal is +1 security, +1 performance, and +1 privacy, though with unknown compatibility risk.