- From: Sid Stamm <sid@mozilla.com>
- Date: Sat, 28 May 2011 09:07:36 -0700
- To: Michal Zalewski <lcamtuf@coredump.cx>
- CC: Daniel Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sstamm@mozilla.com>
On 5/27/11 11:22 p, Michal Zalewski wrote: > Sites that care (Facebook, GMail, etc) typically use the latter > technique, but every now and then, they miss a spot. Having a simple > opt-in mechanism that works for all content inclusion modes, and can > be applied site-wide, is a clear win for them, probably. I'd be up for adding a directive to CSP in the future, but not for the current working draft (really want to avoid seeing spec creep before a first version is ready). I know the rel=noreferrer in webkit[0] seems promising, but yeah, if you miss one you're hosed. What if we put it or something similar in the <body> tag? [0] http://www.webkit.org/blog/907/webkit-nightlies-support-html5-noreferrer-link-relation/ -Sid
Received on Saturday, 28 May 2011 16:08:05 UTC