Re: Early morning thoughts on referrers. from Devdatta Akhawe on 2014-11-18 (public-webappsec@w3.org from November 2014)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 17 Nov 2014 20:41:40 -0800
To: Brad Hill <hillbrad@fb.com>
Cc: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
Message-ID: <CAPfop_3_tz5o+OXGtrTeize7U7ssoYhROcysCkUwyOLMLEt-sg@mail.gmail.com>

forgive me, but I thought, on the call, there was agreement that the basic
"use this same-origin URI as referer" is ok for the declarative mechanism?

cheers
Dev

On 17 November 2014 20:23, Brad Hill <hillbrad@fb.com> wrote:

>  Yes, we discussed this on the call.  Takeaways were:
>
>
>    1. The current behavior is what is already implemented in Webkit
>    browsers.
>    2. We should only complicate a declarative policy mechanism so much.
>    3. ServiceWorkers seem like they might be a good fit for doing
>    fine-grained control of referrer headers in an imperative manner.
>
> Therefore, the group was inclined to leave the spec more or less as-is, at
> least for declarative purposes and CSP, and continue exploration of a more
> fully featured API for ServiceWorkers and Fetch.
>
>  Can everybody live with that?
>
>  -Brad
>
>   From: Jochen Eisinger <eisinger@google.com>
> Date: Monday, November 10, 2014 at 2:32 AM
> To: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
> Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <
> dev.akhawe@gmail.com>, Brian Smith <brian@briansmith.org>
> Subject: Re: Early morning thoughts on referrers.
> Resent-From: <public-webappsec@w3.org>
> Resent-Date: Monday, November 10, 2014 at 2:32 AM
>
>   I'm not sure that introducing additional complexity into the referrer
> policy spec is worthwhile. I see the referrer policy as working around some
> short-comings for websites moving to https, but I don't think that
> referrers in general are such a great feature that we should make it more
> compelling to use.
>
>  best
> -jochen
>
> On Mon Nov 10 2014 at 10:01:36 AM Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Mon, Nov 10, 2014 at 6:10 AM, Mike West <mkwst@google.com> wrote:
>> > As a strawman, let's break requests into two buckets: same-public-suffix
>> > and cross-public-suffix,
>>
>> Why do we need to bring public suffix into this? That seems like a bad
>> idea.
>>
>> I agree with Brian that we want to differentiate subresources from
>> "navigation" (client fetches?). Service workers also need that
>> distinction, perhaps we should come up with some kind of definition
>> based on request contexts. (For that we also need to resolve that
>> dedicated worker question I posed a while back.)
>>
>>
>> --
>> https://annevankesteren.nl/
>> <https://urldefense.proofpoint.com/v1/url?u=https://annevankesteren.nl/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=jVV398LIUT3H%2FO4pIApxFevQTEeBV8C9ugbB3rreDzo%3D%0A&s=d51a2323dcef215c3ebf3e1fc231ae3595d67d15598264874a6ff1496b9d6f3c>
>>
>

Received on Tuesday, 18 November 2014 04:42:28 UTC