- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 19 Nov 2014 15:47:02 -0800
- To: Brad Hill <hillbrad@fb.com>
- Cc: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
On Mon, Nov 17, 2014 at 8:23 PM, Brad Hill <hillbrad@fb.com> wrote: > Yes, we discussed this on the call. Takeaways were: > > The current behavior is what is already implemented in Webkit browsers. > We should only complicate a declarative policy mechanism so much. > ServiceWorkers seem like they might be a good fit for doing fine-grained > control of referrer headers in an imperative manner. I agree with the above. But... > Therefore, the group was inclined to leave the spec more or less as-is, at > least for declarative purposes and CSP, and continue exploration of a more > fully featured API for ServiceWorkers and Fetch. > > Can everybody live with that? The above points address only a small portion of what was discussed in this thread, and only the least controversial points. That 'unsafe-url' is unnecessary and bad, that it doesn't make sense to apply the same policy to subresources and navigation, and other problems with referrer policy, are still unresolved. Cheers, Brian
Received on Wednesday, 19 November 2014 23:47:29 UTC