Changeset 2072 for draft-ietf-httpbis

Timestamp:

31/12/12 10:51:33 (9 years ago)

Author:

fielding@…

Message:

update the description of Referer to current practice and actual security concerns

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.html (modified) (4 diffs)
• p1-messaging.xml (modified) (1 diff)
• p2-semantics.html (modified) (13 diffs)
• p2-semantics.xml (modified) (8 diffs)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -449 +449 @@
   } 
   @bottom-center {
-       content: "Expires July 3, 2013"; 
+       content: "Expires July 4, 2013"; 
   } 
   @bottom-right {
@@ -491 +491 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2012-12-30">
+      <meta name="dct.issued" scheme="ISO8601" content="2012-12-31">
       <meta name="dct.replaces" content="urn:ietf:rfc:2145">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
@@ -520 +520 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">December 30, 2012</td>
+               <td class="right">December 31, 2012</td>
             </tr>
             <tr>
-               <td class="left">Expires: July 3, 2013</td>
+               <td class="left">Expires: July 4, 2013</td>
                <td class="right"></td>
             </tr>
@@ -551 +551 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on July 3, 2013.</p>
+      <p>This Internet-Draft will expire on July 4, 2013.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -2378 +2378 @@
 <section title="Effective Request URI" anchor="effective.request.uri">
   <iref primary="true" item="effective request URI"/>
+  <x:anchor-alias value="effective request URI"/>
 <t>
    A server that receives an HTTP request message &MUST; reconstruct

draft-ietf-httpbis/latest/p2-semantics.html

@@ -449 +449 @@
   } 
   @bottom-center {
-       content: "Expires July 3, 2013"; 
+       content: "Expires July 4, 2013"; 
   } 
   @bottom-right {
@@ -495 +495 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2012-12-30">
+      <meta name="dct.issued" scheme="ISO8601" content="2012-12-31">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.">
@@ -523 +523 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">December 30, 2012</td>
+               <td class="right">December 31, 2012</td>
             </tr>
             <tr>
-               <td class="left">Expires: July 3, 2013</td>
+               <td class="left">Expires: July 4, 2013</td>
                <td class="right"></td>
             </tr>
@@ -554 +554 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on July 3, 2013.</p>
+      <p>This Internet-Draft will expire on July 4, 2013.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
@@ -835 +835 @@
          in <a href="p1-messaging.html#uri" title="Uniform Resource Identifiers">Section 2.7</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
       </p>
-      <p id="rfc.section.2.p.2">When a client constructs an HTTP/1.1 request message, it sends the "target URI" in one of various forms, as defined in (<a href="p1-messaging.html#request-target" title="Request Target">Section 5.3</a> of <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). When a request is received, the server reconstructs an "effective request URI" for the target resource (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
+      <p id="rfc.section.2.p.2">When a client constructs an HTTP/1.1 request message, it sends the <a href="p1-messaging.html#target-resource" class="smpl">target URI</a> in one of various forms, as defined in (<a href="p1-messaging.html#request-target" title="Request Target">Section 5.3</a> of <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). When a request is received, the server reconstructs an <a href="p1-messaging.html#effective.request.uri" class="smpl">effective request URI</a> for the target resource (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
       </p>
       <p id="rfc.section.2.p.3">One design goal of HTTP is to separate resource identification from request semantics, which is made possible by vesting the
@@ -1822 +1822 @@
   <a href="#header.accept" class="smpl">accept-ext</a>     = <a href="#imported.abnf" class="smpl">OWS</a> ";" <a href="#imported.abnf" class="smpl">OWS</a> <a href="#imported.abnf" class="smpl">token</a> [ "=" <a href="#imported.abnf" class="smpl">word</a> ]
 </pre><p id="rfc.section.5.3.2.p.3">The asterisk "*" character is used to group media types into ranges, with "*/*" indicating all media types and "type/*" indicating
-         all subtypes of that type. The media-range <em class="bcp14">MAY</em> include media type parameters that are applicable to that range.
-      </p>
-      <p id="rfc.section.5.3.2.p.4">Each media-range <em class="bcp14">MAY</em> be followed by one or more accept-params, beginning with the "q" parameter for indicating a relative weight, as defined in <a href="#quality.values" title="Quality Values">Section&nbsp;5.3.1</a>. The first "q" parameter (if any) separates the media-range parameter(s) from the accept-params.
+         all subtypes of that type. The media-range can include media type parameters that are applicable to that range.
+      </p>
+      <p id="rfc.section.5.3.2.p.4">Each media-range might be followed by zero or more applicable media type parameters (e.g., <a href="#charset" class="smpl">charset</a>), an optional "q" parameter for indicating a relative weight (<a href="#quality.values" title="Quality Values">Section&nbsp;5.3.1</a>), and then zero or more extension parameters. The "q" parameter is necessary if any accept-ext are present, since it acts
+         as a separator between the two parameter sets.
       </p>
       <div class="note" id="rfc.section.5.3.2.p.5"> 
@@ -2069 +2070 @@
       <div id="rfc.iref.r.2"></div>
       <h3 id="rfc.section.5.5.2"><a href="#rfc.section.5.5.2">5.5.2</a>&nbsp;<a id="header.referer" href="#header.referer">Referer</a></h3>
-      <p id="rfc.section.5.5.2.p.1">The "Referer" [sic] header field allows the client to specify the URI of the resource from which the target URI was obtained
-         (the "referrer", although the header field is misspelled.).
-      </p>
-      <p id="rfc.section.5.5.2.p.2">The Referer header field allows servers to generate lists of back-links to resources for interest, logging, optimized caching,
-         etc. It also allows obsolete or mistyped links to be traced for maintenance. Some servers use Referer as a means of controlling
-         where they allow links from (so-called "deep linking"), but legitimate requests do not always contain a Referer header field.
-      </p>
-      <p id="rfc.section.5.5.2.p.3">If the target URI was obtained from a source that does not have its own URI (e.g., input from the user keyboard), the Referer
-         field <em class="bcp14">MUST</em> either be sent with the value "about:blank", or not be sent at all. Note that this requirement does not apply to sources with
-         non-HTTP URIs (e.g., FTP).
+      <p id="rfc.section.5.5.2.p.1">The "Referer" [sic] header field allows the user agent to specify a URI reference for the resource from which the <a href="p1-messaging.html#target-resource" class="smpl">target URI</a> was obtained (i.e., the "referrer", though the field name is misspelled). A user agent <em class="bcp14">MUST</em> exclude any fragment or userinfo components <a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a> when generating the Referer field value.
       </p>
       <div id="rfc.figure.u.36"></div><pre class="inline"><span id="rfc.iref.g.35"></span>  <a href="#header.referer" class="smpl">Referer</a> = <a href="#imported.abnf" class="smpl">absolute-URI</a> / <a href="#imported.abnf" class="smpl">partial-URI</a>
-</pre><p id="rfc.section.5.5.2.p.5">Example:</p>
+</pre><p id="rfc.section.5.5.2.p.3">Referer allows servers to generate back-links to other resources for simple analytics, logging, optimized caching, etc. It
+         also allows obsolete or mistyped links to be found for maintenance. Some servers use Referer as a means of denying links from
+         other sites (so-called "deep linking") or restricting cross-site request forgery (CSRF), but not all requests contain a Referer
+         header field.
+      </p>
+      <p id="rfc.section.5.5.2.p.4">Example:</p>
       <div id="rfc.figure.u.37"></div><pre class="text">  Referer: http://www.example.org/hypertext/Overview.html
-</pre><p id="rfc.section.5.5.2.p.7">If the field value is a relative URI, it <em class="bcp14">SHOULD</em> be interpreted relative to the effective request URI. The URI <em class="bcp14">MUST NOT</em> include a fragment. See <a href="#encoding.sensitive.information.in.uris" title="Encoding Sensitive Information in URIs">Section&nbsp;9.4</a> for security considerations.
+</pre><p id="rfc.section.5.5.2.p.6">If the target URI was obtained from a source that does not have its own URI (e.g., input from the user keyboard, or an entry
+         within the user's bookmarks/favorites), the user agent <em class="bcp14">MUST</em> either exclude Referer or send it with a value of "about:blank".
+      </p>
+      <p id="rfc.section.5.5.2.p.7">The Referer field has the potential to reveal information about the request context or browsing history of the user, which
+         is a privacy concern if the referring resource's identifier reveals personal information (such as an account name) or a resource
+         that is supposed to be confidential (such as behind a firewall or internal to a secured service). Most general-purpose user
+         agents do not send the Referer header field when the referring resource is a local "file" or "data" URI. A user agent <em class="bcp14">SHOULD NOT</em> send a <a href="#header.referer" class="smpl">Referer</a> header field in a (non-secure) HTTP request if the referring page was received with a secure protocol. See <a href="#encoding.sensitive.information.in.uris" title="Encoding Sensitive Information in URIs">Section&nbsp;9.4</a> for additional security considerations.
+      </p>
+      <p id="rfc.section.5.5.2.p.8">Some intermediaries have been known to indiscriminately remove Referer header fields from outgoing requests. This has the
+         unfortunate side-effect of interfering with protection against CSRF attacks, which can be far more harmful to their users.
+         Intermediaries and user agent extensions that wish to limit information disclosure in Referer ought to restrict their changes
+         to specific edits, such as replacing internal domain names with pseudonyms or truncating the query and/or path components.
+         Intermediaries <em class="bcp14">SHOULD NOT</em> modify or delete the Referer field when the field value shares the same scheme and host as the request target.
       </p>
       <div id="rfc.iref.u.1"></div>
@@ -2908 +2917 @@
       </p>
       <div id="rfc.figure.u.51"></div><pre class="inline"><span id="rfc.iref.g.56"></span>  <a href="#header.location" class="smpl">Location</a> = <a href="#imported.abnf" class="smpl">URI-reference</a>
-</pre><p id="rfc.section.7.1.2.p.3">The field value consists of a single URI-reference. When it has the form of a relative reference (<a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-4.2">Section 4.2</a>), the final value is computed by resolving it against the effective request URI (<a href="#RFC3986" id="rfc.xref.RFC3986.2"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-5">Section 5</a>). If the original URI, as navigated to by the user agent, contains a fragment identifier, and the Location value does not,
+</pre><p id="rfc.section.7.1.2.p.3">The field value consists of a single URI-reference. When it has the form of a relative reference (<a href="#RFC3986" id="rfc.xref.RFC3986.2"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-4.2">Section 4.2</a>), the final value is computed by resolving it against the effective request URI (<a href="#RFC3986" id="rfc.xref.RFC3986.3"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-5">Section 5</a>). If the original URI, as navigated to by the user agent, contains a fragment identifier, and the Location value does not,
          then the original URI's fragment identifier is appended to the Location value.
       </p>
@@ -3800 +3809 @@
       </p>
       <h2 id="rfc.section.9.4"><a href="#rfc.section.9.4">9.4</a>&nbsp;<a id="encoding.sensitive.information.in.uris" href="#encoding.sensitive.information.in.uris">Encoding Sensitive Information in URIs</a></h2>
-      <p id="rfc.section.9.4.p.1">Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly
-         recommended that the user be able to select whether or not the <a href="#header.referer" class="smpl">Referer</a> field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively
-         enable/disable the sending of Referer and From information.
-      </p>
-      <p id="rfc.section.9.4.p.2">Clients <em class="bcp14">SHOULD NOT</em> include a <a href="#header.referer" class="smpl">Referer</a> header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
+      <p id="rfc.section.9.4.p.1">URIs are intended to be shared, not secured, even when they identify secure resources. URIs are often shown on displays, added
+         to templates when a page is printed, and stored in a variety of unprotected bookmark lists. It is therefore unwise to include
+         information within a URI that is sensitive, personally identifiable, or a risk to disclose.
+      </p>
+      <p id="rfc.section.9.4.p.2">Since the Referer header field tells a target site about the context that resulted in a request, it has the potential to reveal
+         information about the user's immediate browsing history and any personal information that might be found in the referring
+         resource's URI. Further discussion of Referer considerations can be found in <a href="#header.referer" id="rfc.xref.header.referer.3" title="Referer">Section&nbsp;5.5.2</a>.
       </p>
       <p id="rfc.section.9.4.p.3">Authors of services <em class="bcp14">SHOULD NOT</em> use GET-based forms for the submission of sensitive data because that data will be placed in the request-target. Many existing
          servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties.
-         Such services can use POST-based form submission instead.
+         Such services ought to use POST-based form submission instead.
       </p>
       <h2 id="rfc.section.9.5"><a href="#rfc.section.9.5">9.5</a>&nbsp;<a id="location.spoofing-leakage" href="#location.spoofing-leakage">Location Header Fields: Spoofing and Information Leakage</a></h2>
@@ -4153 +4164 @@
       <p id="rfc.section.C.p.16">Requirements for sending the Date header field have been clarified. (<a href="#header.date" id="rfc.xref.header.date.4" title="Date">Section&nbsp;7.1.1.2</a>)
       </p>
-      <p id="rfc.section.C.p.17">The <a href="#header.referer" class="smpl">Referer</a> header field can now have a value of "about:blank" as an alternative to not sending a Referer header field. (<a href="#header.referer" id="rfc.xref.header.referer.3" title="Referer">Section&nbsp;5.5.2</a>)
+      <p id="rfc.section.C.p.17">The <a href="#header.referer" class="smpl">Referer</a> header field can now have a value of "about:blank" as an alternative to not sending a Referer header field. (<a href="#header.referer" id="rfc.xref.header.referer.4" title="Referer">Section&nbsp;5.5.2</a>)
       </p>
       <p id="rfc.section.C.p.18">The <a href="#status.201" class="smpl">201 (Created)</a> status code can indicate that more than one resource has been created (as well as just one).
@@ -4653 +4664 @@
             </li>
             <li><a id="rfc.index.R" href="#rfc.index.R"><b>R</b></a><ul>
-                  <li>Referer header field&nbsp;&nbsp;<a href="#rfc.xref.header.referer.1">5.5</a>, <a href="#rfc.iref.r.2"><b>5.5.2</b></a>, <a href="#rfc.xref.header.referer.2">8.3.2</a>, <a href="#rfc.xref.header.referer.3">C</a></li>
+                  <li>Referer header field&nbsp;&nbsp;<a href="#rfc.xref.header.referer.1">5.5</a>, <a href="#rfc.iref.r.2"><b>5.5.2</b></a>, <a href="#rfc.xref.header.referer.2">8.3.2</a>, <a href="#rfc.xref.header.referer.3">9.4</a>, <a href="#rfc.xref.header.referer.4">C</a></li>
                   <li>representation&nbsp;&nbsp;<a href="#rfc.iref.r.1">3</a></li>
                   <li><em>REST</em>&nbsp;&nbsp;<a href="#rfc.xref.REST.1">3</a>, <a href="#rfc.xref.REST.2">4.1</a>, <a href="#REST"><b>11.2</b></a></li>
@@ -4701 +4712 @@
                   </li>
                   <li><em>RFC2978</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC2978.1">3.1.1.2</a>, <a href="#RFC2978"><b>11.2</b></a></li>
-                  <li><em>RFC3986</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">7.1.2</a>, <a href="#rfc.xref.RFC3986.2">7.1.2</a>, <a href="#RFC3986"><b>11.1</b></a><ul>
-                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">7.1.2</a></li>
-                        <li><em>Section 5</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.2">7.1.2</a></li>
+                  <li><em>RFC3986</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">5.5.2</a>, <a href="#rfc.xref.RFC3986.2">7.1.2</a>, <a href="#rfc.xref.RFC3986.3">7.1.2</a>, <a href="#RFC3986"><b>11.1</b></a><ul>
+                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.2">7.1.2</a></li>
+                        <li><em>Section 5</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.3">7.1.2</a></li>
                      </ul>
                   </li>
@@ -4756 +4767 @@
             </li>
             <li><a id="rfc.index.T" href="#rfc.index.T"><b>T</b></a><ul>
-                  <li>TRACE method&nbsp;&nbsp;<a href="#rfc.xref.TRACE.1">4.1</a>, <a href="#rfc.iref.t.1"><b>4.3.8</b></a>, <a href="#rfc.xref.TRACE.2">5.1.1</a>, <a href="#rfc.xref.TRACE.3">8.1.3</a>, <a href="#rfc.xref.TRACE.4">9.3</a>, <a href="#rfc.extref.t.48">C</a>, <a href="#rfc.xref.TRACE.5">C</a></li>
+                  <li>TRACE method&nbsp;&nbsp;<a href="#rfc.xref.TRACE.1">4.1</a>, <a href="#rfc.iref.t.1"><b>4.3.8</b></a>, <a href="#rfc.xref.TRACE.2">5.1.1</a>, <a href="#rfc.xref.TRACE.3">8.1.3</a>, <a href="#rfc.xref.TRACE.4">9.3</a>, <a href="#rfc.extref.t.50">C</a>, <a href="#rfc.xref.TRACE.5">C</a></li>
                </ul>
             </li>

draft-ietf-httpbis/latest/p2-semantics.xml

@@ -268 +268 @@
 <t>
    When a client constructs an HTTP/1.1 request message, it sends the
-   "target URI" in one of various forms, as defined in
+   <x:ref>target URI</x:ref> in one of various forms, as defined in
    (&request-target;). When a request is received, the server reconstructs
-   an "effective request URI" for the target resource
+   an <x:ref>effective request URI</x:ref> for the target resource
    (&effective-request-uri;).
 </t>
@@ -2024 +2024 @@
    The asterisk "*" character is used to group media types into ranges,
    with "*/*" indicating all media types and "type/*" indicating all
-   subtypes of that type. The media-range &MAY; include media type
+   subtypes of that type. The media-range can include media type
    parameters that are applicable to that range.
 </t>
 <t>
-   Each media-range &MAY; be followed by one or more accept-params,
-   beginning with the "q" parameter for indicating a relative weight,
-   as defined in &qvalue;.
-   The first "q" parameter (if any) separates the media-range
-   parameter(s) from the accept-params.
+   Each media-range might be followed by zero or more applicable media type
+   parameters (e.g., <x:ref>charset</x:ref>), an optional "q" parameter for
+   indicating a relative weight (&qvalue;), and then zero or more extension
+   parameters. The "q" parameter is necessary if any accept-ext are present,
+   since it acts as a separator between the two parameter sets.
 </t>
 <x:note>
@@ -2374 +2374 @@
   <x:anchor-alias value="Referer"/>
 <t>
-   The "Referer" [sic] header field allows the client to specify the
-   URI of the resource from which the target URI was obtained (the
-   "referrer", although the header field is misspelled.).
-</t>
-<t>
-   The Referer header field allows servers to generate lists of back-links to
-   resources for interest, logging, optimized caching, etc. It also allows
-   obsolete or mistyped links to be traced for maintenance. Some servers use
-   Referer as a means of controlling where they allow links from (so-called
-   "deep linking"), but legitimate requests do not always
-   contain a Referer header field.
-</t>
-<t>
-   If the target URI was obtained from a source that does not have its own
-   URI (e.g., input from the user keyboard), the Referer field &MUST; either be
-   sent with the value "about:blank", or not be sent at all. Note that this
-   requirement does not apply to sources with non-HTTP URIs (e.g., FTP).
+   The "Referer" [sic] header field allows the user agent to specify a URI
+   reference for the resource from which the <x:ref>target URI</x:ref> was
+   obtained (i.e., the "referrer", though the field name is misspelled).
+   A user agent &MUST; exclude any fragment or userinfo components
+   <xref target="RFC3986"/> when generating the Referer field value.
 </t>
 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Referer"/>
@@ -2396 +2384 @@
 </artwork></figure>
 <t>
+   Referer allows servers to generate back-links to other resources for
+   simple analytics, logging, optimized caching, etc. It also allows
+   obsolete or mistyped links to be found for maintenance. Some servers use
+   Referer as a means of denying links from other sites (so-called
+   "deep linking") or restricting cross-site request forgery (CSRF),
+   but not all requests contain a Referer header field.
+</t>
+<t>
    Example:
 </t>
@@ -2402 +2398 @@
 </artwork></figure>
 <t>
-   If the field value is a relative URI, it &SHOULD; be interpreted
-   relative to the effective request URI. The URI &MUST-NOT; include a fragment. See
-   <xref target="encoding.sensitive.information.in.uris"/> for security considerations.
+   If the target URI was obtained from a source that does not have its own
+   URI (e.g., input from the user keyboard, or an entry within the user's
+   bookmarks/favorites), the user agent &MUST; either exclude Referer or
+   send it with a value of "about:blank".
+</t>
+<t>
+   The Referer field has the potential to reveal information about the request
+   context or browsing history of the user, which is a privacy concern if the
+   referring resource's identifier reveals personal information (such as an
+   account name) or a resource that is supposed to be confidential (such as
+   behind a firewall or internal to a secured service). Most general-purpose
+   user agents do not send the Referer header field when the referring
+   resource is a local "file" or "data" URI. A user agent &SHOULD-NOT; send a
+   <x:ref>Referer</x:ref> header field in a (non-secure) HTTP request if the
+   referring page was received with a secure protocol.
+   See <xref target="encoding.sensitive.information.in.uris"/> for additional
+   security considerations.
+</t>
+<t>
+   Some intermediaries have been known to indiscriminately remove Referer
+   header fields from outgoing requests. This has the unfortunate side-effect
+   of interfering with protection against CSRF attacks, which can be far
+   more harmful to their users. Intermediaries and user agent extensions that
+   wish to limit information disclosure in Referer ought to restrict their
+   changes to specific edits, such as replacing internal domain names with
+   pseudonyms or truncating the query and/or path components.
+   Intermediaries &SHOULD-NOT; modify or delete the Referer field when the
+   field value shares the same scheme and host as the request target.
 </t>
 </section>
@@ -4760 +4781 @@
 <section title="Encoding Sensitive Information in URIs" anchor="encoding.sensitive.information.in.uris">
 <t>
-   Because the source of a link might be private information or might
-   reveal an otherwise private information source, it is strongly
-   recommended that the user be able to select whether or not the
-   <x:ref>Referer</x:ref> field is sent. For example, a browser client could
-   have a toggle switch for browsing openly/anonymously, which would
-   respectively enable/disable the sending of Referer and From
-   information.
-</t>
-<t>
-   Clients &SHOULD-NOT; include a <x:ref>Referer</x:ref> header field in a
-   (non-secure) HTTP request if the referring page was transferred with a secure
-   protocol.
+   URIs are intended to be shared, not secured, even when they identify secure
+   resources.  URIs are often shown on displays, added to templates when a page
+   is printed, and stored in a variety of unprotected bookmark lists.
+   It is therefore unwise to include information within a URI that
+   is sensitive, personally identifiable, or a risk to disclose.
+</t>
+<t>
+   Since the Referer header field tells a target site about the context that
+   resulted in a request, it has the potential to reveal information about the
+   user's immediate browsing history and any personal information that might
+   be found in the referring resource's URI. Further discussion of Referer
+   considerations can be found in <xref target="header.referer"/>.
 </t>
 <t>
@@ -4777 +4798 @@
    sensitive data because that data will be placed in the request-target. Many
    existing servers, proxies, and user agents log or display the request-target
-   in places where it might be visible to third parties. Such services can
-   use POST-based form submission instead.
+   in places where it might be visible to third parties. Such services ought
+   to use POST-based form submission instead.
 </t>
 </section>
@@ -4881 +4902 @@
     <x:defines>Upgrade</x:defines>
     <x:defines>Via</x:defines>
+    <x:defines>effective request URI</x:defines>
+    <x:defines>target URI</x:defines>
   </x:source>
 </reference>