Re: referrer directive expressiveness

On Mon, Feb 10, 2014 at 12:50 PM, Anne van Kesteren <>wrote:

> On Mon, Feb 10, 2014 at 12:32 PM, Mike West <> wrote:
> > Added this to the draft spec in
> >
> >
> > If folks hate the names, bikeshedding is welcome. I'm not firmly
> attached to
> > them.
> Are you going to migrate
> towards these new names too?

I'm happy to make that suggestion, sure. Blink would likely have to alias
both names for some period of time, but that's no worse than a variety of
other places in which we do strange things based on history.

> There is a small problem with "none-when-insecure". Given the
> existence of and similar sites that put the
> secret in the URL, it can be unsafe to send out Referer (at least when
> there's more than just origin) even over TLS. So maybe we should keep
> the name "default" for that.

Hrm. I can see that. "none-when-insecure" was meant to refer to the
transport mechanism only, but I agree with you that it's potentially
confusing. My only concern with "default" is that it might end up meaning
different things to different browsers (see
example). It would be nice to have a name that reflected explicit
functionality as opposed to implicitly falling back on UA behavior. I don't
have a good suggestion other than what I've already suggested. I'd
appreciate suggestions from the group...

Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 10 February 2014 12:40:52 UTC