Re: [referrer] Providing safer policy states from Emily Stark (Dunn) on 2016-04-06 (public-webappsec@w3.org from April 2016)

From: Emily Stark (Dunn) <estark@google.com>
Date: Wed, 6 Apr 2016 13:26:36 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, Jochen Eisinger <eisinger@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPP_2Sbw4Loq3ojpB1EpADtgfDY=e1MmnM++oi8vHqaAF0V8xw@mail.gmail.com>

On Tue, Apr 5, 2016 at 11:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Apr 6, 2016 at 5:43 AM, Emily Stark (Dunn) <estark@google.com>
> wrote:
> > Adding these new policy states sounds reasonable to me. However, I want
> to
> > note that there's been discussion about expanding the spec to a
> JSON-based
> > syntax that allows much more flexibility. For example, we might want to
> > express the policy "'unsafe-url' for navigations to and subresources from
> > myadnetwork.com, and 'none' for all other origins" -- maybe using some
> > syntax like { "unsafe-url": ["myadnetwork.com", "'self'"], "none": "*"}.
> > (I'm not suggesting that as an actual proposal for the syntax, just an
> idea
> > of the kind of thing we were thinking about.) In that world, the policy
> > states would just be shorthand for the most commonly used policies.
>
> How would you transition the Fetch API and HTML referrerpolicy attribute?
>

Are there specific aspects of this or concerns that you're thinking about?

One idea that had been thrown around is to always have referrer policies be
quoted strings, so that they always parse as JSON. I'm not sure if that's
what you're asking about though.


>
>
> --
> https://annevankesteren.nl/
>

Received on Wednesday, 6 April 2016 20:27:25 UTC