W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: referrer directive expressiveness

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Feb 2014 15:47:05 +0100
Message-ID: <CADnb78g4wd3RGv-akKkc5LwFKcKJ1hfnfAp3PYEegjHND7BTsw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: David Bruant <bruant.d@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
On Mon, Feb 10, 2014 at 3:37 PM, Mike West <mkwst@google.com> wrote:
> On Mon, Feb 10, 2014 at 3:05 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> "url-unless-downgrade" might make more sense given that description?
> "downgrade" sounds perfect. I'm not thrilled with 'unless', though. I'm not
> sure it's any clearer to specify the "unless" case than the "when" case.

"none-when-downgrade"? That it's full otherwise I guess you'll have to
learn. Just as you have to learn something with the others.

> I guess we could change "origin-when-cross-origin" to
> "url-unless-cross-origin", but I'm not sure how to distinguish between the
> "unless" behavior: "unless-downgrade" sends no referrer.
> "unless-cross-origin" sends origin information. For that reason, I'd prefer
> "none-when-downgrade" and "origin-when-cross-origin", as they specify the
> important differences more clearly.
> All that said, I think I now agree with you that "default" might be better.
> :)

Hah, "default" works for me, though "none-when-downgrade" might be
better as clearly the default might be changing over time. It's not
really an area we've put much effort into so far.

> I agree. The spec (and <meta referrer> before it) notes that user agents
> should feel more than free to limit referrer information in whatever way
> they feel appropriate, regardless of the defined referrer policy.

Okay, I guess that's all good then.

Received on Monday, 10 February 2014 14:47:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC