- From: David Bruant <bruant.d@gmail.com>
- Date: Fri, 31 Jan 2014 00:13:02 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Le 31/01/2014 00:04, Anne van Kesteren a écrit : > On Thu, Jan 30, 2014 at 2:45 PM, David Bruant <bruant.d@gmail.com> wrote: >> Should the two keywords be split (even if some combinations don't really >> make sense) or should a single value be added for Facebook current use case? > I feel like origin should mean what Facebook wants. Is there a use > case for only sending the origin to your own server? > > never -> never include Referer > origin -> full Referer for same-origin fetches, origin Referer for > cross-origin fetches That's the semantics that Facebook needs, but is not what I read from the CSP 1.1 draft I've found [1]: "If the referrer policy is origin, return the ASCII serialization of referrer." I'm not sure I understand what "ASCII serialization" means, but it doesn't seem like it depends on whether the request is addressed to the same origin or a different one? > full -> full Referer for all fetches Did you mean "always"? David [1] http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#referrer
Received on Thursday, 30 January 2014 23:13:31 UTC