W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: referrer directive expressiveness

From: David Bruant <bruant.d@gmail.com>
Date: Fri, 31 Jan 2014 00:13:02 +0100
Message-ID: <52EADC7E.9040109@gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Le 31/01/2014 00:04, Anne van Kesteren a écrit :
> On Thu, Jan 30, 2014 at 2:45 PM, David Bruant <bruant.d@gmail.com> wrote:
>> Should the two keywords be split (even if some combinations don't really
>> make sense) or should a single value be added for Facebook current use case?
> I feel like origin should mean what Facebook wants. Is there a use
> case for only sending the origin to your own server?
>
> never -> never include Referer
> origin -> full Referer for same-origin fetches, origin Referer for
> cross-origin fetches
That's the semantics that Facebook needs, but is not what I read from 
the CSP 1.1 draft I've found [1]:
"If the referrer policy is origin, return the ASCII serialization of 
referrer."
I'm not sure I understand what "ASCII serialization" means, but it 
doesn't seem like it depends on whether the request is addressed to the 
same origin or a different one?

> full -> full Referer for all fetches
Did you mean "always"?

David

[1] 
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#referrer
Received on Thursday, 30 January 2014 23:13:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC