- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 8 Nov 2014 14:46:45 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, eisinger@google.com
Thinking a bit more about this: it's probably more reasonable if you're hoping to safeguard tokens from ending up in various Referer analytics reports for unrelated parts of the site (the access to which may be delegated to people who have no interest in seeing the URLs). I still feel that if we're adding so much complexity to the directive, we should probably just bite the bullet and allow people to specify policies for domains in a CSP fashion, i.e., detailed referrer goes to *.google.com, *.google.com.pl, *.facebook.com/foo, origin referrer goes to *, etc. It would let people use analytics across multi-domain properties while reaping the benefits of a safe default for the rest of the Internet. /mz
Received on Saturday, 8 November 2014 22:47:33 UTC