- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 4 Nov 2014 21:00:33 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Brad Hill <hillbrad@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, Chris Palmer <palmer@google.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> For these reasons, even if you disagree with my original argument that all > CSP directives should be purely restrictive, I still encourage you to push > CSP Referrer back to CSP3 so that it can be improved. Particularly, I think I don't think pushing to CSP3 is necessary. The question here is not that complicated: do we want the referer directive to be restrictive only or not? For example, one option could be to change the wording to say that UAs could optionally always restrict and let the UAs decide. --dev
Received on Wednesday, 5 November 2014 05:07:44 UTC