- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sat, 8 Nov 2014 18:37:49 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
> I agree. But, aren't analytics and ad conversion trackers usually > third-party services, such that they wouldn't be covered by your > proposal, which is restricted to same-origin? > Unfortunately no. Analytics often run as scripts in the origin of the page. Google Analytics is one famous example. Yes, this is bad; this is why we should have sub-origins and SRI :) To be clear, I am proposing that the "value of the referer" can be a URI that is same-origin. Where the referer then flows depends on the target URI of the request---it can be cross-origin or same-origin. > That syntax is more than you need, and more error-prone than you need. You are right. I should have been more clearer. As you point out, I am only asking for: > https://example.com/ (equivalent to 'origin') > https://example.com/a/ > https://example.com/a/b/ > https://example.com/a/b/c/ > https://example.com/a/b/c/d/ cheers Dev
Received on Sunday, 9 November 2014 02:38:36 UTC