Re: CSP 1.1 referrer + meta >= <meta name="referrer"> ?

You're correct: the referrer directive is meant to provide similar
functionality to what's specced at
The goal is certainly to fold that functionality into this standard, in the
same way that we've brought in the 'X-Frame-Options' and 'X-XSS-Protection'
functionality. Ideally, you'd be able to just use CSP, rather than
configuring in a few different places.

The note about conflicting policies remains important, however, for two

1. It's quite possible for more than one Content Security Policy to be
delivered with a page: a server might be configured in such a way that it
emits two policy headers, for instance.

2. The spec mandates behavior for processing `<meta
http-equiv="Content-Security-Policy" ...>`. It does not otherwise address
alternate mechanisms of setting policies outside the scope of CSP. If we
removed the note, I don't believe it would be clear what a user agent
should do when both a 'referrer' directive and a 'referrer' meta tag were
present. Same story for XSS protection and X-Frame-Options.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Jan 30, 2014 at 3:10 AM, David Bruant <> wrote:

> [Not sure if this list or whatwg is most appropriate.
> cc'ing Adam Barth in any case]
> Hi,
> It looks to me that combining CSP 1.1 referrer directive and HTML meta
> element, one gets at least to the same result than what was intended for
> <meta name="referrer">.
> Should we forget about <meta name="referrer"> then?
> The referrer directive currently has a note about conflicting policies.
> This note could be removed. Conflicts could only occur if there is
> conflicts between header and meta policy and the CSP spec is very clear on
> the fact that the header is more important.
> David

Received on Thursday, 30 January 2014 15:09:02 UTC