W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: Content-Security-Policy: referrer always

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 Oct 2013 12:12:33 +0100
Message-ID: <CADnb78gpZfZqJB3jwzCLy5fovw-xAbeAsMzLbt0HpnuX6Qj=hA@mail.gmail.com>
To: Tom Sepez <tsepez@chromium.org>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Oct 22, 2013 at 11:02 PM, Tom Sepez <tsepez@chromium.org> wrote:
> I was reading the draft spec for the content-security-policy referrer
> directive, and I was hoping that there could be a way to convey that the
> "always" option may be unsafe for HTTPS. Similar to the existing
> "unsafe-eval" and "unsafe-inline" directives, perhaps this could be
> "unsafe-always" instead.
> It has been pointed out to me that this sounds too much like "always
> unsafe", so perhaps there is a better name to be found.

So the rationale for permitting that is search engine results where
the search engine uses TLS?

Given that Referer will only have useful values for http/https URLs
(maybe ftp?), maybe we can make the names more explicit?

* never
* origin
* https-unsafe
* safe-or-origin (it seems this is what default should be, bug in the
current draft?)

Received on Wednesday, 23 October 2013 11:13:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC