Hello,
When setting the CURLOPT_AUTOREFERER option, libcurl automatically sets the
referer: header in following request (like when following redirects) to the
URL of the previous transfer.
This can be considered a minor privacy leak, especially when folllowing
requests cross-orgin and to an insecure protocol such as HTTP.
I propose we change this accordingly:
1 - make CURLOPT_AUTOREFERER default to only set the orgin in the header,
which means hiding the path and query parts.
2 - offer a new value (2) for CURLOPT_AUTOREFERER to make it behave like it
does today: including the full URL
Longer term, we could consider supporting the Referrer-Policy header which
allows sites to decide this policy.
My initial PR for this work: https://github.com/curl/curl/pull/9750
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
