'referrer' directive strawman. from Mike West on 2013-10-21 (public-webappsec@w3.org from October 2013)

From: Mike West <mkwst@google.com>
Date: Mon, 21 Oct 2013 19:21:47 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=fC9ESzPXZVJGSieHGTRmqa_zvHCNs0Ze-ogn9Ri=jVGw@mail.gmail.com>

I put in a strawman draft of a 'referrer' directive to control a document's
referrer policy, borrowing liberally from
http://wiki.whatwg.org/wiki/Meta_referrer. Talking to some folks today, I
realized that I never sent this out for comment. Apologies!

I'd love feedback on
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#referrer

Specifically, two things:

1. I'm sure the fetch integration is done poorly. Anne, help? :)

2. The handling of multiple policies needs some discussion. Blink/WebKit
currently implement a "last policy wins" rule for <meta referrer>. That
doesn't really fit with CSP, but
https://bugzilla.mozilla.org/show_bug.cgi?id=704320 lists some potentially
interesting use-cases for the current state of things.

Thanks!

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores

Received on Monday, 21 October 2013 17:22:35 UTC