- From: Jim Manico <jim.manico@owasp.org>
- Date: Sun, 9 Nov 2014 07:22:24 +0800
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
Please forgive my (continued) ignorance, but isn't keeping secrets out of GET requests the law of the land for secure web application development? Aloha, -- Jim Manico @Manicode (808) 652-3805 > On Nov 9, 2014, at 6:48 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > > Thinking a bit more about this: it's probably more reasonable if > you're hoping to safeguard tokens from ending up in various Referer > analytics reports for unrelated parts of the site (the access to which > may be delegated to people who have no interest in seeing the URLs). > > I still feel that if we're adding so much complexity to the directive, > we should probably just bite the bullet and allow people to specify > policies for domains in a CSP fashion, i.e., detailed referrer goes to > *.google.com, *.google.com.pl, *.facebook.com/foo, origin referrer > goes to *, etc. It would let people use analytics across multi-domain > properties while reaping the benefits of a safe default for the rest > of the Internet. > > /mz >
Received on Saturday, 8 November 2014 23:22:57 UTC