Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
On CURLOPT_AUTOREFERER privacy
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 17 Oct 2022 15:46:26 +0200 (CEST)
Hello,
When setting the CURLOPT_AUTOREFERER option, libcurl automatically sets the
referer: header in following request (like when following redirects) to the
URL of the previous transfer.
This can be considered a minor privacy leak, especially when folllowing
requests cross-orgin and to an insecure protocol such as HTTP.
I propose we change this accordingly:
1 - make CURLOPT_AUTOREFERER default to only set the orgin in the header,
which means hiding the path and query parts.
2 - offer a new value (2) for CURLOPT_AUTOREFERER to make it behave like it
does today: including the full URL
Longer term, we could consider supporting the Referrer-Policy header which
allows sites to decide this policy.
My initial PR for this work: https://github.com/curl/curl/pull/9750
Date: Mon, 17 Oct 2022 15:46:26 +0200 (CEST)
Hello,
When setting the CURLOPT_AUTOREFERER option, libcurl automatically sets the
referer: header in following request (like when following redirects) to the
URL of the previous transfer.
This can be considered a minor privacy leak, especially when folllowing
requests cross-orgin and to an insecure protocol such as HTTP.
I propose we change this accordingly:
1 - make CURLOPT_AUTOREFERER default to only set the orgin in the header,
which means hiding the path and query parts.
2 - offer a new value (2) for CURLOPT_AUTOREFERER to make it behave like it
does today: including the full URL
Longer term, we could consider supporting the Referrer-Policy header which
allows sites to decide this policy.
My initial PR for this work: https://github.com/curl/curl/pull/9750
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-10-17