Re: Early morning thoughts on referrers.

On Mon, Nov 17, 2014 at 8:23 PM, Brad Hill <hillbrad@fb.com> wrote:
> Yes, we discussed this on the call.  Takeaways were:
>
> The current behavior is what is already implemented in Webkit browsers.
> We should only complicate a declarative policy mechanism so much.
> ServiceWorkers seem like they might be a good fit for doing fine-grained
> control of referrer headers in an imperative manner.

I agree with the above. But...

> Therefore, the group was inclined to leave the spec more or less as-is, at
> least for declarative purposes and CSP, and continue exploration of a more
> fully featured API for ServiceWorkers and Fetch.
>
> Can everybody live with that?

The above points address only a small portion of what was discussed in
this thread, and only the least controversial points. That
'unsafe-url' is unnecessary and bad, that it doesn't make sense to
apply the same policy to subresources and navigation, and other
problems with referrer policy, are still unresolved.

Cheers,
Brian

Received on Wednesday, 19 November 2014 23:47:29 UTC