Content-Security-Policy: referrer always from Tom Sepez on 2013-10-22 (public-webappsec@w3.org from October 2013)

From: Tom Sepez <tsepez@chromium.org>
Date: Tue, 22 Oct 2013 15:02:33 -0700
To: public-webappsec@w3.org
Message-ID: <CAL0+4Bmi+HM955xT2mmKCwZn=_XVG1uU9oj2-6pF_6f6qnOc7Q@mail.gmail.com>

I was reading the draft spec for the content-security-policy referrer
directive, and I was hoping that there could be a way to convey that the
"always" option may be unsafe for HTTPS. Similar to the existing
"unsafe-eval" and "unsafe-inline" directives, perhaps this could be
"unsafe-always" instead.

It has been pointed out to me that this sounds too much like "always
unsafe", so perhaps there is a better name to be found.

Thanks heaps,
--Tom.

Received on Tuesday, 22 October 2013 22:03:55 UTC