W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: CSP: Problems with referrer and reflected-xss

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 4 Nov 2014 21:00:33 -0800
Message-ID: <CAPfop_0tKnHU2Qex9yMuFhSaarE6JsGKzin_bAf4fRvohf_c2g@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Brad Hill <hillbrad@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, Chris Palmer <palmer@google.com>, Glenn Adams <glenn@skynav.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> For these reasons, even if you disagree with my original argument that all
> CSP directives should be purely restrictive, I still encourage you to push
> CSP Referrer back to CSP3 so that it can be improved. Particularly, I think

I don't think pushing to CSP3 is necessary. The question here is not
that complicated: do we want the referer directive to be restrictive
only or not? For example, one option could be to change the wording to
say that UAs could optionally always restrict and let the UAs decide.

--dev
Received on Wednesday, 5 November 2014 05:07:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC