W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: referrer directive expressiveness

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Feb 2014 12:50:55 +0100
Message-ID: <CADnb78j+cfW1b0yZLGb_KMhSSxvb_Spu6ETu9y=6pwraxgnD3g@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: David Bruant <bruant.d@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Feb 10, 2014 at 12:32 PM, Mike West <mkwst@google.com> wrote:
> Added this to the draft spec in
> https://github.com/w3c/webappsec/commit/601923fddb26d128cc30fe8b0671deb3df3ad85a
> If folks hate the names, bikeshedding is welcome. I'm not firmly attached to
> them.

Are you going to migrate http://wiki.whatwg.org/wiki/Meta_referrer
towards these new names too?

There is a small problem with "none-when-insecure". Given the
existence of https://gist.github.com/ and similar sites that put the
secret in the URL, it can be unsafe to send out Referer (at least when
there's more than just origin) even over TLS. So maybe we should keep
the name "default" for that.

Received on Monday, 10 February 2014 11:51:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC