Re: Quoted Referrer-Policy values from Mike West on 2016-09-07 (public-webappsec@w3.org from September 2016)

From: Mike West <mkwst@google.com>
Date: Wed, 7 Sep 2016 14:08:46 +0200
To: "Emily Stark (Dunn)" <estark@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Francois Marier <francois@mozilla.com>, Franziskus Kiefer <fkiefer@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=eWKN5WsN2TS1Zve8Q0iUzP09Y_PTD4rcNHBf5U9O+DVQ@mail.gmail.com>

Friendly ping, Mozilla folks! :)

I think the more general question is how we'd like to define header syntax
going forward. The HTTP WG in the IETF seems less keen on JSON than I'd
originally thought (http://httpwg.org/http-extensions/jfv.html being more
of an indication that "Some structure would be nice!" rather than a ringing
endorsement of JSON in and of itself). Still, my impression is that JSON is
something that developers understand, and have lots of tooling to support.

Given that background, I'd suggest it would be prudent to define header
syntax that's forward-compatible with structured languages like JSON.
Quoting the referrer policy values does that pretty cleanly. I think it's
worth making the change.

-mike

On Wed, Aug 31, 2016 at 6:26 PM, Emily Stark (Dunn) <estark@google.com>
wrote:

> For the value of the Referrer-Policy header, Mike pointed out that there
> was some agreement to quote the values (`Referrer-Policy: "unsafe-url"`),
> but that never actually made it into the spec. (My bad.) See
> https://github.com/w3c/webappsec-referrer-policy/issues/65.
>
> I would like to do this to be forwards-compatible in case we later want to
> introduce a more flexible JSON based-syntax. Mozilla folks, are you
> willing/able to consider changing the Firefox implementation?
>
> Thanks,
> Emily
>

Received on Wednesday, 7 September 2016 12:09:36 UTC