Re: CSP 1.1 referrer + meta >= <meta name="referrer"> ? from Mike West on 2014-01-30 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 30 Jan 2014 07:08:13 -0800
To: David Bruant <bruant.d@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <abarth@chromium.org>
Message-ID: <CAKXHy=facrdW=u49wpzKBOXFMEcwdqqpgpBmraHWTQUZXXZUfQ@mail.gmail.com>

You're correct: the referrer directive is meant to provide similar
functionality to what's specced at http://wiki.whatwg.org/wiki/Meta_referrer.
The goal is certainly to fold that functionality into this standard, in the
same way that we've brought in the 'X-Frame-Options' and 'X-XSS-Protection'
functionality. Ideally, you'd be able to just use CSP, rather than
configuring in a few different places.

The note about conflicting policies remains important, however, for two
reasons:

1. It's quite possible for more than one Content Security Policy to be
delivered with a page: a server might be configured in such a way that it
emits two policy headers, for instance.

2. The spec mandates behavior for processing `<meta
http-equiv="Content-Security-Policy" ...>`. It does not otherwise address
alternate mechanisms of setting policies outside the scope of CSP. If we
removed the note, I don't believe it would be clear what a user agent
should do when both a 'referrer' directive and a 'referrer' meta tag were
present. Same story for XSS protection and X-Frame-Options.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Jan 30, 2014 at 3:10 AM, David Bruant <bruant.d@gmail.com> wrote:

> [Not sure if this list or whatwg is most appropriate.
> cc'ing Adam Barth in any case]
>
> Hi,
>
> It looks to me that combining CSP 1.1 referrer directive and HTML meta
> element, one gets at least to the same result than what was intended for
> <meta name="referrer">.
> Should we forget about <meta name="referrer"> then?
>
> The referrer directive currently has a note about conflicting policies.
> This note could be removed. Conflicts could only occur if there is
> conflicts between header and meta policy and the CSP spec is very clear on
> the fact that the header is more important.
>
> David
>
>

Received on Thursday, 30 January 2014 15:09:02 UTC