W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP 1.1 referrer + meta >= <meta name="referrer"> ?

From: David Bruant <bruant.d@gmail.com>
Date: Thu, 30 Jan 2014 17:01:32 +0100
Message-ID: <52EA775C.8020005@gmail.com>
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <abarth@chromium.org>
Le 30/01/2014 16:56, Mike West a écrit :
> On Thu, Jan 30, 2014 at 7:18 AM, David Bruant <bruant.d@gmail.com 
> <mailto:bruant.d@gmail.com>> wrote:
>
>     Le 30/01/2014 16:08, Mike West a écrit :
>
>         The note about conflicting policies remains important,
>         however, for two reasons(...)
>
>     I was speaking of the note currently at "3.2.5.13.1 Processing
>     multiple referrer policies" (because it's uniquely dependent on
>     the existence of <meta name="referrer"> I think). I agree with you
>     that the other parts relating to conflicting policies are important.
>
>
> Hrm. I think that's necessary to define what happens if two CSP 
> headers conflict (e.g. the first sets "referrer always" and the second 
> sets "referrer origin").
oh yes. You're right, my mistake.

> Would adding "or in multiple 'Content-Security-Policy' headers" to the 
> parenthetical in that section be helpful?
Things are good as they are (as far as I'm concerned at least). Sorry 
for the noise.

David
Received on Thursday, 30 January 2014 16:02:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC