- From: David Bruant <bruant.d@gmail.com>
- Date: Thu, 30 Jan 2014 23:45:00 +0100
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi, The referrer directive currently suffers from an expressiveness issue. The one that was raised a while back [1]. This lack of expressiveness is bitting Facebook for instance [2]. In essence, the policy only allows to tell what's being sent (complete referrer, only origin, empty string), but it sends it indifferently of who it is sent to. However, in Facebook case, they would like to send the full referrer during internal navigation, but reduced referrer for external links. This currently can't be expressed with CSP 1.1. I suggested to split both concerns into two combinable keywords. He suggested that not all combinations make sense [3]. I pointed a use case which I thought make sense (and is Facebook current case). He asked for a name for that combination. I couldn't think of something better than "internal". Better suggestions welcome. When I read our exchanges back then and compare to the current CSP1.1 referrer directive, I notice that the semantics changed a bit. Should the two keywords be split (even if some combinations don't really make sense) or should a single value be added for Facebook current use case? David [1] end of http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-December/034275.html [2] https://bugzilla.mozilla.org/show_bug.cgi?id=704320#c86 [3] end of http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-December/034276.html
Received on Thursday, 30 January 2014 22:45:30 UTC