- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 Oct 2013 12:12:33 +0100
- To: Tom Sepez <tsepez@chromium.org>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, Oct 22, 2013 at 11:02 PM, Tom Sepez <tsepez@chromium.org> wrote: > I was reading the draft spec for the content-security-policy referrer > directive, and I was hoping that there could be a way to convey that the > "always" option may be unsafe for HTTPS. Similar to the existing > "unsafe-eval" and "unsafe-inline" directives, perhaps this could be > "unsafe-always" instead. > > It has been pointed out to me that this sounds too much like "always > unsafe", so perhaps there is a better name to be found. So the rationale for permitting that is search engine results where the search engine uses TLS? Given that Referer will only have useful values for http/https URLs (maybe ftp?), maybe we can make the names more explicit? * never * origin * https-unsafe * safe-or-origin (it seems this is what default should be, bug in the current draft?) -- http://annevankesteren.nl/
Received on Wednesday, 23 October 2013 11:13:04 UTC