W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Content-Security-Policy: referrer always

From: Tom Sepez <tsepez@chromium.org>
Date: Tue, 22 Oct 2013 15:02:33 -0700
Message-ID: <CAL0+4Bmi+HM955xT2mmKCwZn=_XVG1uU9oj2-6pF_6f6qnOc7Q@mail.gmail.com>
To: public-webappsec@w3.org
I was reading the draft spec for the content-security-policy referrer
directive, and I was hoping that there could be a way to convey that the
"always" option may be unsafe for HTTPS. Similar to the existing
"unsafe-eval" and "unsafe-inline" directives, perhaps this could be
"unsafe-always" instead.

It has been pointed out to me that this sounds too much like "always
unsafe", so perhaps there is a better name to be found.

Thanks heaps,
--Tom.
Received on Tuesday, 22 October 2013 22:03:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC