- From: Brian Smith <brian@briansmith.org>
- Date: Fri, 24 Oct 2014 00:03:11 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAFewVt6JzyQ1Rx1DY56Y46FEyFmH3vr1GZWzN0VWsW92bm=73Q@mail.gmail.com>
On Thu, Oct 23, 2014 at 10:29 PM, Mark Nottingham <mnot@mnot.net> wrote: > The bigger issue, however, is whether this is a good idea at all. In > particular, "unsafe-url" removes this prohibition completely, for an > *entire* page. > > This is likely to create a situation where those providing third-party > functionality want/require referers, so they tell HTTPS sites to set > "unsafe-url" or face a functional (or financial) penalty; now not only the > intended content but all other fetches from the page will send a referer. > > I understand that there's a delicate balance here; if referers aren't sent > at all, sites may be reluctant to move to HTTPS (although one might just > say that the sites they're linking to should move to HTTPS!). The question > is whether there's a net improvement to Web security. > > Arguably, origin-only and origin-when-cross-origin might get that balance > right; I question whether unsafe-url and always (which isn't > well-documented, btw) do. > > Has this been discussed yet? > Mark, if I understand you correctly, then I very much agree with you. See these messages, and others in that thread: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0174.html http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html See also: https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J Cheers, Brian
Received on Friday, 24 October 2014 07:03:40 UTC