Re: referrer directive expressiveness

On Mon, Feb 10, 2014 at 12:50 PM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Mon, Feb 10, 2014 at 12:32 PM, Mike West <mkwst@google.com> wrote:
> > Added this to the draft spec in
> >
> https://github.com/w3c/webappsec/commit/601923fddb26d128cc30fe8b0671deb3df3ad85a
> >
> > If folks hate the names, bikeshedding is welcome. I'm not firmly
> attached to
> > them.
>
> Are you going to migrate http://wiki.whatwg.org/wiki/Meta_referrer
> towards these new names too?
>

I'm happy to make that suggestion, sure. Blink would likely have to alias
both names for some period of time, but that's no worse than a variety of
other places in which we do strange things based on history.


> There is a small problem with "none-when-insecure". Given the
> existence of https://gist.github.com/ and similar sites that put the
> secret in the URL, it can be unsafe to send out Referer (at least when
> there's more than just origin) even over TLS. So maybe we should keep
> the name "default" for that.
>

Hrm. I can see that. "none-when-insecure" was meant to refer to the
transport mechanism only, but I agree with you that it's potentially
confusing. My only concern with "default" is that it might end up meaning
different things to different browsers (see
https://groups.google.com/d/msg/mozilla.dev.privacy/wmPzPCdzIU8/KGJ401Dj9lYJfor
example). It would be nice to have a name that reflected explicit
functionality as opposed to implicitly falling back on UA behavior. I don't
have a good suggestion other than what I've already suggested. I'd
appreciate suggestions from the group...

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)