Re: Referrer Policy: Same-origin URIs

Thinking a bit more about this: it's probably more reasonable if
you're hoping to safeguard tokens from ending up in various Referer
analytics reports for unrelated parts of the site (the access to which
may be delegated to people who have no interest in seeing the URLs).

I still feel that if we're adding so much complexity to the directive,
we should probably just bite the bullet and allow people to specify
policies for domains in a CSP fashion, i.e., detailed referrer goes to
*, *, *, origin referrer
goes to *, etc. It would let people use analytics across multi-domain
properties while reaping the benefits of a safe default for the rest
of the Internet.


Received on Saturday, 8 November 2014 22:47:33 UTC