Re: [REFERRER] Call for Consensus: Referrer Policy to Candidate Recommenation from Evan J Johnson on 2016-10-17 (public-webappsec@w3.org from October 2016)

From: Evan J Johnson <e@ejj.io>
Date: Mon, 17 Oct 2016 13:50:21 -0700
To: public-webappsec@w3.org
Message-Id: <1476737421.2694391.758871425.5082B21B@webmail.messagingengine.com>

Ah thanks Emily. I can see it's a hard question to answer now. Whatever
is processed last, but with one edge cases. If I understand the
precedence is (from highest to lowest):

. ReferrerPolicy is no-referrer, or rel="noreferrer".
1. Implicit, via inheritence.
3. Any other referrerpolicy attribute that is not "no-referrer"
4. Meta-tag.
5.HTTP Header

evan




On Sun, Oct 16, 2016, at 09:09 AM, Emily Stark wrote:
> Hi Evan,
> If the browser recognizes the policy in a meta tag as a valid policy,
> then it would override any policy set by a header for the document.
> This is mentioned in
> https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values
> ("the value of the latest one will be used"), though I'd happily take
> suggestions on how to make it clearer!
> Emily
>
> On Sun, Oct 16, 2016 at 1:13 AM, Evan J Johnson <e@ejj.io> wrote:
>> __
>> Glad to see this is being finished!
>>
>> I'm curious the order of precedence of the 5 different ways to set a
>> referrer policy.
>>
>> This is very confusing in my opinion (something I will begin to say
>> about a lot of specs). The spec reads like the following is possible,
>> unless I'm missing something:
>>
>> 1. Blanket referrer policy set by header.
>> 2. Different referrer policy set by meta tag.
>> 3. Third policy as an attribute.
>>
>> I would assume the the most specific policy would win, in this case
>> the noreferrer attribute, but which policy wins out of 1 and 2?
>>
>>
>> evan
>>
>>
>>
>>
>> On Sat, Oct 15, 2016, at 09:18 PM, Emily Stark wrote:
>>> This is a call for consensus of the WebAppSec WG to request
>>> advancement of Referrer Policy to Candidate Recommendation.
>>>
>>> The text for the proposed CR draft is to be the Editor's Draft at:
>>> https://w3c.github.io/webappsec-referrer-policy/
>>>
>>> This call for consensus will expire on 23-October-2016. Positive
>>> feedback is encouraged and lack of feedback is considered "no
>>> objection". Please send feedback to: public-webappsec@w3.org with a
>>> subject line beginning with '[REFERRER]'.
>>>
>>> Thanks,
>>> Emily
>>

Received on Monday, 17 October 2016 20:50:45 UTC