Re: CSP 1.1 referrer + meta >= <meta name="referrer"> ? from Mike West on 2014-01-30 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 30 Jan 2014 07:56:26 -0800
To: David Bruant <bruant.d@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <abarth@chromium.org>
Message-ID: <CAKXHy=e4_vCE4j0nYt3Ac0DU1Dq+NpqJJLyKMxjSpOt_qT4gqQ@mail.gmail.com>

On Thu, Jan 30, 2014 at 7:18 AM, David Bruant <bruant.d@gmail.com> wrote:

> Le 30/01/2014 16:08, Mike West a écrit :
>
>> The note about conflicting policies remains important, however, for two
>> reasons(...)
>>
> I was speaking of the note currently at "3.2.5.13.1 Processing multiple
> referrer policies" (because it's uniquely dependent on the existence of
> <meta name="referrer"> I think). I agree with you that the other parts
> relating to conflicting policies are important.

Hrm. I think that's necessary to define what happens if two CSP headers
conflict (e.g. the first sets "referrer always" and the second sets
"referrer origin"). Would adding "or in multiple 'Content-Security-Policy'
headers" to the parenthetical in that section be helpful?

-mike

Received on Thursday, 30 January 2014 15:57:15 UTC