Re: Early morning thoughts on referrers. from Brad Hill on 2014-11-18 (public-webappsec@w3.org from November 2014)

From: Brad Hill <hillbrad@fb.com>
Date: Tue, 18 Nov 2014 04:23:36 +0000
To: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brian Smith <brian@briansmith.org>
Message-ID: <D09008E9.11F4%hillbrad@fb.com>

Yes, we discussed this on the call.  Takeaways were:

  1.  The current behavior is what is already implemented in Webkit browsers.
  2.  We should only complicate a declarative policy mechanism so much.
  3.  ServiceWorkers seem like they might be a good fit for doing fine-grained control of referrer headers in an imperative manner.

Therefore, the group was inclined to leave the spec more or less as-is, at least for declarative purposes and CSP, and continue exploration of a more fully featured API for ServiceWorkers and Fetch.

Can everybody live with that?

-Brad

From: Jochen Eisinger <eisinger@google.com<mailto:eisinger@google.com>>
Date: Monday, November 10, 2014 at 2:32 AM
To: Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>>, Mike West <mkwst@google.com<mailto:mkwst@google.com>>
Cc: "public-webappsec@w3.org<mailto:public-webappsec@w3.org>" <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>, Devdatta Akhawe <dev.akhawe@gmail.com<mailto:dev.akhawe@gmail.com>>, Brian Smith <brian@briansmith.org<mailto:brian@briansmith.org>>
Subject: Re: Early morning thoughts on referrers.
Resent-From: <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>
Resent-Date: Monday, November 10, 2014 at 2:32 AM

I'm not sure that introducing additional complexity into the referrer policy spec is worthwhile. I see the referrer policy as working around some short-comings for websites moving to https, but I don't think that referrers in general are such a great feature that we should make it more compelling to use.

best
-jochen

On Mon Nov 10 2014 at 10:01:36 AM Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>> wrote:
On Mon, Nov 10, 2014 at 6:10 AM, Mike West <mkwst@google.com<mailto:mkwst@google.com>> wrote:
> As a strawman, let's break requests into two buckets: same-public-suffix
> and cross-public-suffix,

Why do we need to bring public suffix into this? That seems like a bad idea.

I agree with Brian that we want to differentiate subresources from
"navigation" (client fetches?). Service workers also need that
distinction, perhaps we should come up with some kind of definition
based on request contexts. (For that we also need to resolve that
dedicated worker question I posed a while back.)

--
https://annevankesteren.nl/<https://urldefense.proofpoint.com/v1/url?u=https://annevankesteren.nl/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=jVV398LIUT3H%2FO4pIApxFevQTEeBV8C9ugbB3rreDzo%3D%0A&s=d51a2323dcef215c3ebf3e1fc231ae3595d67d15598264874a6ff1496b9d6f3c>

Received on Tuesday, 18 November 2014 04:24:13 UTC