W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Francois Marier <francois@mozilla.com>
Date: Fri, 13 Feb 2015 20:32:30 +1300
Message-ID: <54DDA88E.8020208@mozilla.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 13/02/15 19:08, Devdatta Akhawe wrote:
> There is a huge advantage to the page wide policy since it makes
> reasoning about the security of a web application a lot more
> tractable. I would be worried about letting a local element over-ride
> the page wide policy

As you point out, this is not part of the pull request, but what I was
thinking is that the element attribute would take precedence over the
page policy (at least the one defined in the meta tag, I'm not entirely
sure where the CSP policy would fit in).

This is important because it allows someone to say:

- no referrer for everything on this page
- except for this one link to an internal property because we need the
origin and path

If we have the meta policy take precedence over the policy in each link,
then the web developer in the above example isn't going to be able to
use a restrictive global policy.

Francois
Received on Friday, 13 February 2015 07:33:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC