Re: [Referrer] Adding a referrer attribute delivery mechanism

How about requiring the page level directive to opt-in to that behavior by
asking it to add a unsafe-allow-override in the referrer policy? Otherwise
any html injection (img say) allows leaking the current uri via a referrer,
which breaks the high level guarantee the referrer policy can provide.
On Feb 12, 2015 11:35 PM, "Francois Marier" <francois@mozilla.com> wrote:

> On 13/02/15 19:08, Devdatta Akhawe wrote:
> > There is a huge advantage to the page wide policy since it makes
> > reasoning about the security of a web application a lot more
> > tractable. I would be worried about letting a local element over-ride
> > the page wide policy
>
> As you point out, this is not part of the pull request, but what I was
> thinking is that the element attribute would take precedence over the
> page policy (at least the one defined in the meta tag, I'm not entirely
> sure where the CSP policy would fit in).
>
> This is important because it allows someone to say:
>
> - no referrer for everything on this page
> - except for this one link to an internal property because we need the
> origin and path
>
> If we have the meta policy take precedence over the policy in each link,
> then the web developer in the above example isn't going to be able to
> use a restrictive global policy.
>
> Francois
>
>

Received on Friday, 13 February 2015 08:30:38 UTC