Re: [Referrer] Adding a referrer attribute delivery mechanism from Devdatta Akhawe on 2015-02-13 (public-webappsec@w3.org from February 2015)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 12 Feb 2015 22:08:21 -0800
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Brian Smith <brian@briansmith.org>, Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_2qtd_GqQSLM+cE6kc6gY2mFVCcQwkFi4cqj8WFhNJp8Q@mail.gmail.com>

catching up with this thread; I might have missed something, but how
will this interact with the page wide policy set by CSP or meta
directive? The Github PR only creates a new TODO to talk about the
intersection algorithm.

There is a huge advantage to the page wide policy since it makes
reasoning about the security of a web application a lot more
tractable. I would be worried about letting a local element over-ride
the page wide policy (see Brad's note why this is imp
https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0268.html)

(Other than this, I don't have any concerns with the proposal)

~Dev


On 12 February 2015 at 00:06, Mike West <mkwst@google.com> wrote:
> On Thu, Feb 12, 2015 at 8:59 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Thu, Feb 12, 2015 at 8:43 AM, Mike West <mkwst@google.com> wrote:
>>> [...]
>>
>> By the way, before we add more attributes, there is this proposal outstanding:
>>
>>   https://www.w3.org/Bugs/Public/show_bug.cgi?id=26533
>>
>> With that proposal whenever we figure out something new to add to
>> Request objects, it would get automatically exposed to all request
>> contexts as a feature. That is probably a better idea long term.
>>
>> (It still doesn't help with the navigational bits we discussed, but
>> neither does this.)
>
> That looks reasonable to me, and would address this use case.
> Francois, would you be willing to hop onto that bug and describe this
> proposal to see how it might fit in with a more generic way of setting
> Fetch attributes? That might substantially simplify the wiring-up I
> noted earlier in the thread.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine
> Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

Received on Friday, 13 February 2015 06:09:09 UTC