- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 27 May 2011 19:11:00 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On 5/26/11 5:04 PM, Adam Barth wrote: > https://bugs.webkit.org/show_bug.cgi?id=61576 > > Should we add a "scrub-referrer" directive to CSP? Adding it to CSP side-steps the breakage problem by making it opt-in, but will the sites we care about opt-in? Some of them simply don't care, they may already be doing stupid things like passing credentials in URLs in the clear. Some of them are passing the information on purpose. If we're concerned about referrer leaks we shouldn't rely on voluntary opt-in via CSP. I'm not strongly against adding it, but I suspect it's useless bloat. I'd prefer to standardize what we've got so far before we add more to it. -Dan Veditz
Received on Saturday, 28 May 2011 02:11:36 UTC