W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Early morning thoughts on referrers.

From: Brian Smith <brian@briansmith.org>
Date: Wed, 19 Nov 2014 15:47:02 -0800
Message-ID: <CAFewVt4EuBy=UeXgrEXBiC1rFcjGj0De4Z42b8ZkECdGwZ1VMw@mail.gmail.com>
To: Brad Hill <hillbrad@fb.com>
Cc: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
On Mon, Nov 17, 2014 at 8:23 PM, Brad Hill <hillbrad@fb.com> wrote:
> Yes, we discussed this on the call.  Takeaways were:
>
> The current behavior is what is already implemented in Webkit browsers.
> We should only complicate a declarative policy mechanism so much.
> ServiceWorkers seem like they might be a good fit for doing fine-grained
> control of referrer headers in an imperative manner.

I agree with the above. But...

> Therefore, the group was inclined to leave the spec more or less as-is, at
> least for declarative purposes and CSP, and continue exploration of a more
> fully featured API for ServiceWorkers and Fetch.
>
> Can everybody live with that?

The above points address only a small portion of what was discussed in
this thread, and only the least controversial points. That
'unsafe-url' is unnecessary and bad, that it doesn't make sense to
apply the same policy to subresources and navigation, and other
problems with referrer policy, are still unresolved.

Cheers,
Brian
Received on Wednesday, 19 November 2014 23:47:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC