W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [REFERRER] Combination of referrer directive values

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 11:17:21 +0100
Message-ID: <CAKXHy=egnkHa9OGmumauOdesHLKBdKH95OKkGwcCa=57VYrMSw@mail.gmail.com>
To: sourcekick <sourcekick@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
In the current spec, no, there's no way to create combinations of different
directive values.

Brian has raised some fundamental issues with the current spec, though,
which I think we'll need to address with some broad changes. That might get
us closer to something that would address your use case, but it's not
implemented any any browsers today.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Sun, Dec 28, 2014 at 8:16 PM, sourcekick <sourcekick@gmail.com> wrote:

> Hi,
>
> is it possible to combine certain choices of the referrer policy?
>
> If not, please consider making combinations possible or alternatively add
> more choices. That is, without making the whole space of possibilities too
> complicated.
>
>
> In particular I would be interested in the following combination:
> Origin When Cross-Origin AND No Referrer When Downgrade
> The intention here would be to not send a referrer at all over an insecure
> connection (http) while enforcing the rules of "Origin When Cross-Origin"
> regarding cases with secure connections (https).
>
>
> Note that
> http://w3c.github.io/webappsec/specs/referrer-policy/#determine-policy-for-token
> and
> http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states
> and
> https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer
> read like combinatios are not possible.
>
> -- sk
>
Received on Thursday, 8 January 2015 10:18:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC