- From: Mike West <mkwst@google.com>
- Date: Mon, 27 Oct 2014 10:52:19 +0100
- To: Sean Snider <ssnider@yahoo-inc.com>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dxy8Xat1R-8k8NoZOy7zh+KE7FOT6EVK_ELX+a4tB7XA@mail.gmail.com>
On Sat, Oct 25, 2014 at 2:37 AM, Sean Snider <ssnider@yahoo-inc.com> wrote: > Actually in that case, you don't lose the referrer. . . data URI, or > about:blank inherit the referrer of the parent if nothing > is there (at least for document.referrer). And also even if it didn't, > you'd get a blank referrer, in which case in my example, > goodguys.org would just take action and not do anything or nuke > themselves or whatever. . . > At least in Chrome, that's not the case. See http://jsbin.com/jalalazedi/1/ for example. I was wondering if instead of white list of URIs/origins, it might be valid > to specify the level that > you are expected to be nested or allowed to be nested. . . and you could > even do that with URIs as well. > Certainly there are cases where you only ever want to have your content in > an IFRAME if it's a direct > child of someone else. I think we can save that for the next round of CSP > though. . . > Seems like a reasonable thing to think about. Filed https://www.w3.org/2011/webappsec/track/actions/192 so we don't forget it. But back to referrer. . . what's the valid use-case for "none"? Is it > really just about data-leakage? If that's > the case, they I'd argue strongly against none, and just allow stripping > down. Rarely do hostname and scheme > contain sensitive information, and in that case. . .really the site itself > should be setup differently :P > At the moment, my recommendation is to remove none from CSP 2.0 candidate. > . . but let's hear the thoughts. . . > What's the justification for anything other than 'none'? Shouldn't we have to justify information leakage, rather than justifying not leaking data about user activity on the web? The fact that portions of the web depend on getting referrer information in order to make security decisions is unfortunate, and makes it difficult for us to change the default, but shouldn't be accepted as an argument for denying sites the opportunity to choose something other than the status quo. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 27 October 2014 09:53:10 UTC