- From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
- Date: Mon, 05 Jun 2023 14:02:49 +0000
- To: public-css-archive@w3.org
> Will this feature respect the Referrer Policy (specifically, the current default value of `strict-origin-when-cross-origin`) and not expose the referring URL on cross-origin navigations unless a page relaxes its Referrer Policy? Absolutely. > > If so, then my guess is that this is relatively low-risk* and might not need an explicit opt-in. If not, then this would be problematic -- and in that case even an opt-in might not be sufficient because this API would give the destination the ability to learn potentially sensitive information about the embedding page which we don't want to reveal. > > [*] The reason this seems low risk is that any CSS that can use at-rules can also use selectors and has the ability to learn information about the structure of the page, attribute values, etc. Learning the origin of the referring page or the destination of a navigation sounds like a less scary capability than what's already possible, even if it technically exposes additional information. Great! I wasn't sure if it was more/less scary, but it seemed like "different" information that's usually not exposed to CSS. -- GitHub Notification of comment by noamr Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8889#issuecomment-1576868363 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 5 June 2023 14:02:51 UTC