FWIW, i'm also pleased to see CSP heading back in this direction and away from the 'security kitchen sink' direction. ian On Fri, Oct 9, 2015 at 9:09 AM, Brad Hill <hillbrad@gmail.com> wrote: > +1 > > On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com> > wrote: > >> fine by me >> >> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote: >> >>> So, while rewriting most of CSP, I think I've decided that Brian was >>> right, way back in >>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html. >>> CSP is simpler to conceptualize as a purely restrictive mechanism, and >>> I'm on board with the idea that we should keep it that way. >>> >>> To that end, I would suggest that we drop the `referrer` directive >>> from the referrer policy spec, and turn it into a distinct header (how >>> about `referrer: [type]` (or, `referer: origin` in the interests of >>> historical amusement, and potentially turning on that exciting header >>> compression that HTTP/2 folks go on about)). >>> >>> CCing Brian, Brad, and Dan, who seemed most active in the conversation >>> a year ago. >>> >>> WDYT? >>> >>> -- >>> Mike West <mkwst@google.com>, @mikewest >>> >>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, >>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der >>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul >>> Terence Manicle >>> (Sorry; I'm legally required to add this exciting detail to emails. >>> Bleh.) >>> >>
Received on Friday, 9 October 2015 16:14:24 UTC