W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

referrer directive expressiveness

From: David Bruant <bruant.d@gmail.com>
Date: Thu, 30 Jan 2014 23:45:00 +0100
Message-ID: <52EAD5EC.2090106@gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi,

The referrer directive currently suffers from an expressiveness issue. 
The one that was raised a while back [1]. This lack of expressiveness is 
bitting Facebook for instance [2].
In essence, the policy only allows to tell what's being sent (complete 
referrer, only origin, empty string), but it sends it indifferently of 
who it is sent to. However, in Facebook case, they would like to send 
the full referrer during internal navigation, but reduced referrer for 
external links. This currently can't be expressed with CSP 1.1.

I suggested to split both concerns into two combinable keywords. He 
suggested that not all combinations make sense [3]. I pointed a use case 
which I thought make sense (and is Facebook current case). He asked for 
a name for that combination. I couldn't think of something better than 
"internal". Better suggestions welcome.

When I read our exchanges back then and compare to the current CSP1.1 
referrer directive, I notice that the semantics changed a bit.

Should the two keywords be split (even if some combinations don't really 
make sense) or should a single value be added for Facebook current use case?

David

[1] end of 
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-December/034275.html
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=704320#c86
[3] end of 
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-December/034276.html
Received on Thursday, 30 January 2014 22:45:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC