mikewest
commented
6 years ago That's a reasonable kind of request to make from a privacy perspective, but it's somewhat orthogonal to the proposal here. I'd like to keep this focused on the mechanism of HTTP state management, not on wider issues of information flow in requests.
Thanks!
Should this spec define that a browser should not send the http referer with the token requests, as e.g. facebook could use their „like button widgets“ (or similar) to fingerprint the user with the given token?