Re: CSP 1.1 referrer + meta >= <meta name="referrer"> ? from David Bruant on 2014-01-30 (public-webappsec@w3.org from January 2014)

From: David Bruant <bruant.d@gmail.com>
Date: Thu, 30 Jan 2014 17:01:32 +0100
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <abarth@chromium.org>
Message-ID: <52EA775C.8020005@gmail.com>

Le 30/01/2014 16:56, Mike West a écrit :
> On Thu, Jan 30, 2014 at 7:18 AM, David Bruant <bruant.d@gmail.com 
> <mailto:bruant.d@gmail.com>> wrote:
>
>     Le 30/01/2014 16:08, Mike West a écrit :
>
>         The note about conflicting policies remains important,
>         however, for two reasons(...)
>
>     I was speaking of the note currently at "3.2.5.13.1 Processing
>     multiple referrer policies" (because it's uniquely dependent on
>     the existence of <meta name="referrer"> I think). I agree with you
>     that the other parts relating to conflicting policies are important.
>
>
> Hrm. I think that's necessary to define what happens if two CSP 
> headers conflict (e.g. the first sets "referrer always" and the second 
> sets "referrer origin").
oh yes. You're right, my mistake.

> Would adding "or in multiple 'Content-Security-Policy' headers" to the 
> parenthetical in that section be helpful?
Things are good as they are (as far as I'm concerned at least). Sorry 
for the noise.

David

Received on Thursday, 30 January 2014 16:02:02 UTC