- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 8 Feb 2015 23:32:31 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi (previously on blink-security-dev https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/-t_-5m6ChDg) Currently, (I believe) in release versions, Firefox supports the "origin-when-crossorigin" value for the referrer directive while Chrome doesn't. Unfortunately, the Chrome implementation of the spec is "if I don't know the name of the directive value, fall back to the secure 'none'". This means that as a web application developer, I can't use origin-when-crossorigin since it would break referrer for far too many users. I think the spec should be changed to say "if you don't know the name of the directive, ignore it". This will allow web application developers to make the best choice according to what they feel is the right thing to do. For example, the web application could do: <meta content="unsafe-url" name="referrer" /> <meta content="origin-when-crossorigin" name="referrer" /> This will allow the app to provide the most protection possibel without breaking features and not being limited by what version of the browser the user is relying on. What do others think? cheers Dev
Received on Monday, 9 February 2015 07:33:19 UTC