W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 12 Feb 2015 17:54:23 +1100
Message-ID: <CABkgnnUNfGy=R+78JOWf5JqdCXqPAMWx_TV6uQo2uMX21G5qJQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 12 February 2015 at 17:35, Brian Smith <brian@briansmith.org> wrote:
> So, it doesn't matter
> whether rel=noreferrer takes precedence or we take the lower of both
> values, because both result in "none".

I actually think that given referrer=foo is newer and written with
full knowledge of the rel=noreferrer option, we could interpret <a
rel=noreferrer referrer=origin> as an intent to share the origin, but
no more than that.  A UA that doesn't support the new argument would
fail closed, but that would be intentional.

It seems like the right thing to do would be to remove rel=noreferrer
eventually, so being able to ignore it is easier than describing a
combination rule, or any rule where it takes precedence.  Both make it
harder to have it disappear.
Received on Thursday, 12 February 2015 06:54:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC