fine by me On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote: > So, while rewriting most of CSP, I think I've decided that Brian was > right, way back in > https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html. > CSP is simpler to conceptualize as a purely restrictive mechanism, and > I'm on board with the idea that we should keep it that way. > > To that end, I would suggest that we drop the `referrer` directive > from the referrer policy spec, and turn it into a distinct header (how > about `referrer: [type]` (or, `referer: origin` in the interests of > historical amusement, and potentially turning on that exciting header > compression that HTTP/2 folks go on about)). > > CCing Brian, Brad, and Dan, who seemed most active in the conversation > a year ago. > > WDYT? > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul > Terence Manicle > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Friday, 9 October 2015 13:56:27 UTC