Re: [whatwg] getting rid of anonymizing redirects
Okay. I assumed more granular control would be needed but if not then this works great. Thanks, Peter From: Ilya Grigorik Date: Wednesday, October 8, 2014 at 11:43 AM To: Peter Lepeska Cc: Chris Bentzel , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects On Wed, Oct 8, 2014 at 11:36 AM, Peter Lepeska wrote: > Does this have implications for resource hints? Do we want the ability to > specify ³noreferrer² for prerendered pages? Currently noreferrer only applies > to the tag. My understanding is that you set a global policy, which would apply to all requests: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-ref errer e.g. Content-Security-Policy: referrer no-referrer; (or equivalent meta element) ig
Re: [whatwg] getting rid of anonymizing redirects
On Wed, Oct 8, 2014 at 11:36 AM, Peter Lepeska wrote: > Does this have implications for resource hints? Do we want the ability to > specify “noreferrer” for prerendered pages? Currently noreferrer only > applies to the tag. My understanding is that you set a global policy, which would apply to all requests: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer e.g. Content-Security-Policy: referrer no-referrer; (or equivalent meta element) ig
Re: [whatwg] getting rid of anonymizing redirects
Great thanks Boris! On 10/7/14, 11:49 PM, "Boris Zbarsky" wrote: >On 10/7/14, 11:39 AM, Glenn Maynard wrote: >> Firefox has had a ticket open for this for about half a >> decade > >It's fixed and the fix is shipping in Firefox 33 in a week. > >-Boris
Re: [whatwg] getting rid of anonymizing redirects
Understood and thanks for the explanation. Does this have implications for resource hints? Do we want the ability to specify ³noreferrer² for prerendered pages? Currently noreferrer only applies to the tag. Thanks, Peter From: Ilya Grigorik Date: Tuesday, October 7, 2014 at 6:13 PM To: Peter Lepeska Cc: Chris Bentzel , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects On Tue, Oct 7, 2014 at 8:28 AM, Peter Lepeska wrote: > Looks like this is already supported: > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer. > > Just need to educate web developers to you use it. It's a bit more complicated. The redirector use case has many dimensions: a) site wants to anonymize the referrer (and do so reliably across all UAs) b) site wants to log the navigation for analytics (sync XHR = bad, has limited support, Beacon is FF/Chrome only) c) site wants to log native-app visits and add "attribution" to their native app - e.g. G+ app clicks are shown as plus.google.com <http://plus.google.com> in referrer logs. In theory, (a) and (b) are addressed by new APIs. In practice, due to old UAs + implementation differences, redirector is *way* easier - don't have to perform UA detects, etc. (c) is a whole different story.. and the reason many teams like the redirector route is that it allows them to reuse the same path for web and native. To be clear, I'm not endorsing the pattern.. I'd love get rid of it. That said, just want to relay the feedback I've received in the past. - we need referrer logic implemented consistently. - we need Beacon available in all browsers. Also, preconnect support can also help speed things up for redirector case: http://w3c.github.io/resource-hints/#anonymizing-redirect-preconnect ig
Re: [whatwg] getting rid of anonymizing redirects
On 10/7/14, 11:39 AM, Glenn Maynard wrote: Firefox has had a ticket open for this for about half a decade It's fixed and the fix is shipping in Firefox 33 in a week. -Boris
Re: [whatwg] getting rid of anonymizing redirects
On Tue, Oct 7, 2014 at 8:28 AM, Peter Lepeska wrote: > Looks like this is already supported: > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer > . > > Just need to educate web developers to you use it. > It's a bit more complicated. The redirector use case has many dimensions: a) site wants to anonymize the referrer (and do so reliably across all UAs) b) site wants to log the navigation for analytics (sync XHR = bad, has limited support, Beacon is FF/Chrome only) c) site wants to log native-app visits and add "attribution" to their native app - e.g. G+ app clicks are shown as plus.google.com in referrer logs. In theory, (a) and (b) are addressed by new APIs. In practice, due to old UAs + implementation differences, redirector is *way* easier - don't have to perform UA detects, etc. (c) is a whole different story.. and the reason many teams like the redirector route is that it allows them to reuse the same path for web and native. To be clear, I'm not endorsing the pattern.. I'd love get rid of it. That said, just want to relay the feedback I've received in the past. - we need referrer logic implemented consistently. - we need Beacon available in all browsers. Also, preconnect support can also help speed things up for redirector case: http://w3c.github.io/resource-hints/#anonymizing-redirect-preconnect ig
Re: [whatwg] getting rid of anonymizing redirects
I don't have a list, but as far as I know the only browser with complete support is WebKit (and now Blink, I guess), though there are apparently some bugs there. Firefox has had a ticket open for this for about half a decade (which has had some activity recently, but with tickets that old I'm doubtful until it actually gets released...). I don't think IE has any support. I haven't retested any of this recently, so I'd recommend testing for yourself if you need to be sure. I haven't tested at all and don't know anything about its support. On Tue, Oct 7, 2014 at 9:09 AM, Peter Lepeska wrote: > Thanks Glenn. > > Do you happen to have a list of which browsers support it and which do not? > > Thanks, > > Peter > > From: Glenn Maynard > Date: Tuesday, October 7, 2014 at 10:00 AM > To: Peter Lepeska > Cc: Chris Bentzel , WHAT Working Group < > wha...@whatwg.org>, > Subject: Re: [whatwg] getting rid of anonymizing redirects > > On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska > wrote: > >> Hi Chris, >> >> Looks like this is already supported: >> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer >> . >> >> Just need to educate web developers to you use it. >> > > People don't use it because it's not supported in most browsers. It's too > bad, since "link anonymizers" are terrible and the lack of this feature is > causing them to continue to be used. > > -- > Glenn Maynard > > -- Glenn Maynard
Re: [whatwg] getting rid of anonymizing redirects
See also: http://www.w3.org/TR/referrer-policy/ And http://www.w3.org/TR/CSP2/#directive-referrer On 10/7/14, 5:06 AM, "Anne van Kesteren" wrote: >On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska >wrote: >> Some web site developers use redirects to strip out referrer headers >>from >> requests issued from users clicking links on their site. This causes a >> blocking round trip and so has a really big impact on web performance. >> >> Can we give developers an alternative to this technique that will not >>incur >> a performance penalty? For instance, can linkable elements support a >> ³no-referrer² attribute or something similar? > >https://urldefense.proofpoint.com/v1/url?u=https://html.spec.whatwg.org/mu >ltipage/semantics.html%23link-type-noreferrer&k=ZVNjlDMF0FElm4dQtryO4A%3D% >3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=sLg9nzF6XKCiwvibvLzUtSPc0UWUIr >GOib%2BGDC6%2Btx8%3D%0A&s=7376ff81d0849bee3715e5f90e7733ba18fd39ca856d8b89 >268ad264b83a424d >https://urldefense.proofpoint.com/v1/url?u=http://w3c.github.io/webappsec/ >specs/referrer-policy/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8 >%2BWBMXZg%3D%3D%0A&m=sLg9nzF6XKCiwvibvLzUtSPc0UWUIrGOib%2BGDC6%2Btx8%3D%0A >&s=169914a62123d604d40a75f3ba5dc125b810d41d801aebef46a0c833916eb2b9 > > >-- >https://urldefense.proofpoint.com/v1/url?u=https://annevankesteren.nl/&k=Z >VNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=sLg9n >zF6XKCiwvibvLzUtSPc0UWUIrGOib%2BGDC6%2Btx8%3D%0A&s=7e5e97e6ac5ffe13c5c36fe >3a4a8624e7d2b6b3de6fcbdd43a9e93d21a4abb25
Re: [whatwg] getting rid of anonymizing redirects
On Tue, Oct 7, 2014 at 4:13 PM, Mathias Bynens wrote: > There’s also ``: > https://wiki.whatwg.org/wiki/Meta_referrer Obsoleted by my second link. Will update the wiki. -- https://annevankesteren.nl/
Re: [whatwg] getting rid of anonymizing redirects
On Tue, Oct 7, 2014 at 2:06 PM, Anne van Kesteren wrote: > On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska wrote: >> Some web site developers use redirects to strip out referrer headers from >> requests issued from users clicking links on their site. This causes a >> blocking round trip and so has a really big impact on web performance. >> >> Can we give developers an alternative to this technique that will not incur >> a performance penalty? For instance, can linkable elements support a >> ³no-referrer² attribute or something similar? > > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer > http://w3c.github.io/webappsec/specs/referrer-policy/ There’s also ``: https://wiki.whatwg.org/wiki/Meta_referrer
Re: [whatwg] getting rid of anonymizing redirects
Thanks Glenn. Do you happen to have a list of which browsers support it and which do not? Thanks, Peter From: Glenn Maynard Date: Tuesday, October 7, 2014 at 10:00 AM To: Peter Lepeska Cc: Chris Bentzel , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska wrote: > Hi Chris, > > Looks like this is already supported: > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer. > > Just need to educate web developers to you use it. People don't use it because it's not supported in most browsers. It's too bad, since "link anonymizers" are terrible and the lack of this feature is causing them to continue to be used. -- Glenn Maynard
Re: [whatwg] getting rid of anonymizing redirects
On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska wrote: > Hi Chris, > > Looks like this is already supported: > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer > . > > Just need to educate web developers to you use it. > People don't use it because it's not supported in most browsers. It's too bad, since "link anonymizers" are terrible and the lack of this feature is causing them to continue to be used. -- Glenn Maynard
Re: [whatwg] getting rid of anonymizing redirects
Hi Chris, Looks like this is already supported: https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer. Just need to educate web developers to you use it. Peter From: Chris Bentzel Date: Tuesday, October 7, 2014 at 8:07 AM To: Peter Lepeska , WHAT Working Group , Subject: Re: getting rid of anonymizing redirects There's meta referrer on the document. Combining this with or Beacon for click tracking may remove many of the needs for redirects. Or do you want something that is per-link rather than per-document? On Tue Oct 07 2014 at 7:59:51 AM Peter Lepeska wrote: > All, > > Some web site developers use redirects to strip out referrer headers from > requests issued from users clicking links on their site. This causes a > blocking round trip and so has a really big impact on web performance. > > Can we give developers an alternative to this technique that will not incur a > performance penalty? For instance, can linkable elements support a > ³no-referrer² attribute or something similar? > > Thanks, > > Peter
Re: [whatwg] getting rid of anonymizing redirects
Thank you! From: Delfi Ramirez Organization: Segonquart Studio Date: Tuesday, October 7, 2014 at 8:20 AM To: Anne van Kesteren Cc: Peter Lepeska , WHAT Working Group , Subject: Re: [whatwg] getting rid of anonymizing redirects Thank you vm, Anne Van --- Delfi Ramirez My digital signature <http://delfiramirez.info/public/dr_public_key.asc> +34 633 589231 del...@segonquart.net twitter: delfinramirez IRC: segonquart Skype: segonquart http://segonquart.net http://delfiramirez.info <http://delfiramirez.info> On 2014-10-07 14:06, Anne van Kesteren wrote: > On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska wrote: >> Some web site developers use redirects to strip out referrer headers from >> requests issued from users clicking links on their site. This causes a >> blocking round trip and so has a really big impact on web performance. Can we >> give developers an alternative to this technique that will not incur a >> performance penalty? For instance, can linkable elements support a >> ³no-referrer² attribute or something similar? > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrerhttp > ://w3c.github.io/webappsec/specs/referrer-policy/
Re: [whatwg] getting rid of anonymizing redirects
Thank you vm, Anne Van --- Delfi Ramirez My digital signature [3] +34 633 589231 del...@segonquart.net [4] twitter: delfinramirez IRC: segonquart Skype: segonquart [5] http://segonquart.net [6] http://delfiramirez.info [7] On 2014-10-07 14:06, Anne van Kesteren wrote: > On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska wrote: > >> Some web site developers use redirects to strip out referrer headers from >> requests issued from users clicking links on their site. This causes a >> blocking round trip and so has a really big impact on web performance. Can >> we give developers an alternative to this technique that will not incur a >> performance penalty? For instance, can linkable elements support a >> ³no-referrer² attribute or something similar? > > https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer [1] > http://w3c.github.io/webappsec/specs/referrer-policy/ [2] Links: -- [1] https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer [2] http://w3c.github.io/webappsec/specs/referrer-policy/ [3] http://delfiramirez.info/public/dr_public_key.asc [4] mail:%20del...@segonquart.net [5] skype:segonquart [6] http://segonquart.net [7] http://delfiramirez.info
Re: [whatwg] getting rid of anonymizing redirects
On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska wrote: > Some web site developers use redirects to strip out referrer headers from > requests issued from users clicking links on their site. This causes a > blocking round trip and so has a really big impact on web performance. > > Can we give developers an alternative to this technique that will not incur > a performance penalty? For instance, can linkable elements support a > ³no-referrer² attribute or something similar? https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer http://w3c.github.io/webappsec/specs/referrer-policy/ -- https://annevankesteren.nl/