Re: [whatwg] getting rid of anonymizing redirects

2014-10-08 Thread Peter Lepeska
Okay. I assumed more granular control would be needed but if not then this
works great.

Thanks,

Peter

From:  Ilya Grigorik 
Date:  Wednesday, October 8, 2014 at 11:43 AM
To:  Peter Lepeska 
Cc:  Chris Bentzel , WHAT Working Group
, 
Subject:  Re: [whatwg] getting rid of anonymizing redirects


On Wed, Oct 8, 2014 at 11:36 AM, Peter Lepeska  wrote:
> Does this have implications for resource hints? Do we want the ability to
> specify ³noreferrer² for prerendered pages? Currently noreferrer only applies
> to the  tag.

My understanding is that you set a global policy, which would apply to all
requests:
https://w3c.github.io/webappsec/specs/content-security-policy/#directive-ref
errer

e.g. Content-Security-Policy: referrer no-referrer; (or equivalent meta
element)

ig




Re: [whatwg] getting rid of anonymizing redirects

2014-10-08 Thread Ilya Grigorik
On Wed, Oct 8, 2014 at 11:36 AM, Peter Lepeska  wrote:

> Does this have implications for resource hints? Do we want the ability to
> specify “noreferrer” for prerendered pages? Currently noreferrer only
> applies to the  tag.


My understanding is that you set a global policy, which would apply to all
requests:
https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer

e.g. Content-Security-Policy: referrer no-referrer; (or equivalent meta
element)

ig


Re: [whatwg] getting rid of anonymizing redirects

2014-10-08 Thread Peter Lepeska
Great thanks Boris!

On 10/7/14, 11:49 PM, "Boris Zbarsky"  wrote:

>On 10/7/14, 11:39 AM, Glenn Maynard wrote:
>> Firefox has had a ticket open for this for about half a
>> decade
>
>It's fixed and the fix is shipping in Firefox 33 in a week.
>
>-Boris




Re: [whatwg] getting rid of anonymizing redirects

2014-10-08 Thread Peter Lepeska
Understood and thanks for the explanation.

Does this have implications for resource hints? Do we want the ability to
specify ³noreferrer² for prerendered pages? Currently noreferrer only
applies to the  tag.

Thanks,

Peter





From:  Ilya Grigorik 
Date:  Tuesday, October 7, 2014 at 6:13 PM
To:  Peter Lepeska 
Cc:  Chris Bentzel , WHAT Working Group
, 
Subject:  Re: [whatwg] getting rid of anonymizing redirects


On Tue, Oct 7, 2014 at 8:28 AM, Peter Lepeska  wrote:
> Looks like this is already supported:
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer.
> 
> Just need to educate web developers to you use it.

It's a bit more complicated. The redirector use case has many dimensions:
a) site wants to anonymize the referrer (and do so reliably across all UAs)
b) site wants to log the navigation for analytics (sync XHR = bad, 
has limited support, Beacon is FF/Chrome only)
c) site wants to log native-app visits and add "attribution" to their native
app - e.g. G+ app clicks are shown as plus.google.com
<http://plus.google.com>  in referrer logs.

In theory, (a) and (b) are addressed by new APIs. In practice, due to old
UAs + implementation differences, redirector is *way* easier - don't have to
perform UA detects, etc. (c) is a whole different story.. and the reason
many teams like the redirector route is that it allows them to reuse the
same path for web and native.

To be clear, I'm not endorsing the pattern.. I'd love get rid of it. That
said, just want to relay the feedback I've received in the past.

- we need referrer logic implemented consistently.
- we need Beacon available in all browsers.

Also, preconnect support can also help speed things up for redirector case:
http://w3c.github.io/resource-hints/#anonymizing-redirect-preconnect

ig




Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Boris Zbarsky

On 10/7/14, 11:39 AM, Glenn Maynard wrote:

Firefox has had a ticket open for this for about half a
decade


It's fixed and the fix is shipping in Firefox 33 in a week.

-Boris


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Ilya Grigorik
On Tue, Oct 7, 2014 at 8:28 AM, Peter Lepeska  wrote:

> Looks like this is already supported:
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
> .
>
> Just need to educate web developers to you use it.
>

It's a bit more complicated. The redirector use case has many dimensions:
a) site wants to anonymize the referrer (and do so reliably across all UAs)
b) site wants to log the navigation for analytics (sync XHR = bad, 
has limited support, Beacon is FF/Chrome only)
c) site wants to log native-app visits and add "attribution" to their
native app - e.g. G+ app clicks are shown as plus.google.com in referrer
logs.

In theory, (a) and (b) are addressed by new APIs. In practice, due to old
UAs + implementation differences, redirector is *way* easier - don't have
to perform UA detects, etc. (c) is a whole different story.. and the reason
many teams like the redirector route is that it allows them to reuse the
same path for web and native.

To be clear, I'm not endorsing the pattern.. I'd love get rid of it. That
said, just want to relay the feedback I've received in the past.

- we need referrer logic implemented consistently.
- we need Beacon available in all browsers.

Also, preconnect support can also help speed things up for redirector case:
http://w3c.github.io/resource-hints/#anonymizing-redirect-preconnect

ig


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Glenn Maynard
I don't have a list, but as far as I know the only browser with complete
support is WebKit (and now Blink, I guess), though there are apparently
some bugs there.  Firefox has had a ticket open for this for about half a
decade (which has had some activity recently, but with tickets that old I'm
doubtful until it actually gets released...).  I don't think IE has any
support.

I haven't retested any of this recently, so I'd recommend testing for
yourself if you need to be sure.  I haven't tested  at all
and don't know anything about its support.



On Tue, Oct 7, 2014 at 9:09 AM, Peter Lepeska  wrote:

> Thanks Glenn.
>
> Do you happen to have a list of which browsers support it and which do not?
>
> Thanks,
>
> Peter
>
> From: Glenn Maynard 
> Date: Tuesday, October 7, 2014 at 10:00 AM
> To: Peter Lepeska 
> Cc: Chris Bentzel , WHAT Working Group <
> wha...@whatwg.org>, 
> Subject: Re: [whatwg] getting rid of anonymizing redirects
>
> On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska 
> wrote:
>
>> Hi Chris,
>>
>> Looks like this is already supported:
>> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
>> .
>>
>> Just need to educate web developers to you use it.
>>
>
> People don't use it because it's not supported in most browsers.  It's too
> bad, since "link anonymizers" are terrible and the lack of this feature is
> causing them to continue to be used.
>
> --
> Glenn Maynard
>
>


-- 
Glenn Maynard


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Brad Hill
See also:

http://www.w3.org/TR/referrer-policy/


And

http://www.w3.org/TR/CSP2/#directive-referrer


On 10/7/14, 5:06 AM, "Anne van Kesteren"  wrote:

>On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska 
>wrote:
>> Some web site developers use redirects to strip out referrer headers
>>from
>> requests issued from users clicking links on their site. This causes a
>> blocking round trip and so has a really big impact on web performance.
>>
>> Can we give developers an alternative to this technique that will not
>>incur
>> a performance penalty? For instance, can linkable elements support a
>> ³no-referrer² attribute or something similar?
>
>https://urldefense.proofpoint.com/v1/url?u=https://html.spec.whatwg.org/mu
>ltipage/semantics.html%23link-type-noreferrer&k=ZVNjlDMF0FElm4dQtryO4A%3D%
>3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=sLg9nzF6XKCiwvibvLzUtSPc0UWUIr
>GOib%2BGDC6%2Btx8%3D%0A&s=7376ff81d0849bee3715e5f90e7733ba18fd39ca856d8b89
>268ad264b83a424d
>https://urldefense.proofpoint.com/v1/url?u=http://w3c.github.io/webappsec/
>specs/referrer-policy/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8
>%2BWBMXZg%3D%3D%0A&m=sLg9nzF6XKCiwvibvLzUtSPc0UWUIrGOib%2BGDC6%2Btx8%3D%0A
>&s=169914a62123d604d40a75f3ba5dc125b810d41d801aebef46a0c833916eb2b9
>
>
>-- 
>https://urldefense.proofpoint.com/v1/url?u=https://annevankesteren.nl/&k=Z
>VNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=sLg9n
>zF6XKCiwvibvLzUtSPc0UWUIrGOib%2BGDC6%2Btx8%3D%0A&s=7e5e97e6ac5ffe13c5c36fe
>3a4a8624e7d2b6b3de6fcbdd43a9e93d21a4abb25



Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Anne van Kesteren
On Tue, Oct 7, 2014 at 4:13 PM, Mathias Bynens  wrote:
> There’s also ``:
> https://wiki.whatwg.org/wiki/Meta_referrer

Obsoleted by my second link. Will update the wiki.


-- 
https://annevankesteren.nl/


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Mathias Bynens
On Tue, Oct 7, 2014 at 2:06 PM, Anne van Kesteren  wrote:
> On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska  wrote:
>> Some web site developers use redirects to strip out referrer headers from
>> requests issued from users clicking links on their site. This causes a
>> blocking round trip and so has a really big impact on web performance.
>>
>> Can we give developers an alternative to this technique that will not incur
>> a performance penalty? For instance, can linkable elements support a
>> ³no-referrer² attribute or something similar?
>
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
> http://w3c.github.io/webappsec/specs/referrer-policy/

There’s also ``:
https://wiki.whatwg.org/wiki/Meta_referrer


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Peter Lepeska
Thanks Glenn.

Do you happen to have a list of which browsers support it and which do not?

Thanks,

Peter

From:  Glenn Maynard 
Date:  Tuesday, October 7, 2014 at 10:00 AM
To:  Peter Lepeska 
Cc:  Chris Bentzel , WHAT Working Group
, 
Subject:  Re: [whatwg] getting rid of anonymizing redirects

On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska  wrote:
> Hi Chris,
> 
> Looks like this is already supported:
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer.
> 
> Just need to educate web developers to you use it.

People don't use it because it's not supported in most browsers.  It's too
bad, since "link anonymizers" are terrible and the lack of this feature is
causing them to continue to be used.

-- 
Glenn Maynard





Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Glenn Maynard
On Tue, Oct 7, 2014 at 7:28 AM, Peter Lepeska  wrote:

> Hi Chris,
>
> Looks like this is already supported:
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
> .
>
> Just need to educate web developers to you use it.
>

People don't use it because it's not supported in most browsers.  It's too
bad, since "link anonymizers" are terrible and the lack of this feature is
causing them to continue to be used.

-- 
Glenn Maynard


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Peter Lepeska
Hi Chris,

Looks like this is already supported:
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer.

Just need to educate web developers to you use it.

Peter


From:  Chris Bentzel 
Date:  Tuesday, October 7, 2014 at 8:07 AM
To:  Peter Lepeska , WHAT Working Group
, 
Subject:  Re: getting rid of anonymizing redirects

There's meta referrer on the document. Combining this with  or
Beacon for click tracking may remove many of the needs for redirects. Or do
you want something that is per-link rather than per-document?
On Tue Oct 07 2014 at 7:59:51 AM Peter Lepeska  wrote:
> All,
> 
> Some web site developers use redirects to strip out referrer headers from
> requests issued from users clicking links on their site. This causes a
> blocking round trip and so has a really big impact on web performance.
> 
> Can we give developers an alternative to this technique that will not incur a
> performance penalty? For instance, can linkable elements support a
> ³no-referrer² attribute or something similar?
> 
> Thanks,
> 
> Peter




Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Peter Lepeska
Thank you!

From:  Delfi Ramirez 
Organization:  Segonquart Studio
Date:  Tuesday, October 7, 2014 at 8:20 AM
To:  Anne van Kesteren 
Cc:  Peter Lepeska , WHAT Working Group
, 
Subject:  Re: [whatwg] getting rid of anonymizing redirects

Thank you vm, Anne Van

 

---
Delfi Ramirez
My digital signature <http://delfiramirez.info/public/dr_public_key.asc>

+34 633 589231
 del...@segonquart.net 
twitter: delfinramirez
 IRC: segonquart Skype: segonquart 
http://segonquart.net
http://delfiramirez.info
 <http://delfiramirez.info>
On 2014-10-07 14:06, Anne van Kesteren wrote:
> On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska  wrote:
>> Some web site developers use redirects to strip out referrer headers from
>> requests issued from users clicking links on their site. This causes a
>> blocking round trip and so has a really big impact on web performance. Can we
>> give developers an alternative to this technique that will not incur a
>> performance penalty? For instance, can linkable elements support a
>> ³no-referrer² attribute or something similar?
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrerhttp
> ://w3c.github.io/webappsec/specs/referrer-policy/




Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Delfi Ramirez
 

Thank you vm, Anne Van 

---

Delfi Ramirez

My digital signature [3]

+34 633 589231
 del...@segonquart.net [4] 

twitter: delfinramirez

 IRC: segonquart Skype: segonquart [5]

http://segonquart.net [6]

http://delfiramirez.info
 [7]

On 2014-10-07 14:06, Anne van Kesteren wrote: 

> On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska  wrote:
> 
>> Some web site developers use redirects to strip out referrer headers from 
>> requests issued from users clicking links on their site. This causes a 
>> blocking round trip and so has a really big impact on web performance. Can 
>> we give developers an alternative to this technique that will not incur a 
>> performance penalty? For instance, can linkable elements support a 
>> ³no-referrer² attribute or something similar?
> 
> https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer [1]
> http://w3c.github.io/webappsec/specs/referrer-policy/ [2]
 

Links:
--
[1]
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
[2] http://w3c.github.io/webappsec/specs/referrer-policy/
[3] http://delfiramirez.info/public/dr_public_key.asc
[4] mail:%20del...@segonquart.net
[5] skype:segonquart
[6] http://segonquart.net
[7] http://delfiramirez.info


Re: [whatwg] getting rid of anonymizing redirects

2014-10-07 Thread Anne van Kesteren
On Tue, Oct 7, 2014 at 1:58 PM, Peter Lepeska  wrote:
> Some web site developers use redirects to strip out referrer headers from
> requests issued from users clicking links on their site. This causes a
> blocking round trip and so has a really big impact on web performance.
>
> Can we give developers an alternative to this technique that will not incur
> a performance penalty? For instance, can linkable elements support a
> ³no-referrer² attribute or something similar?

https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
http://w3c.github.io/webappsec/specs/referrer-policy/


-- 
https://annevankesteren.nl/