- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 13 Feb 2015 00:30:11 -0800
- To: Francois Marier <francois@mozilla.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAPfop_1bgYQMNEXmoaXQ2JYUciVerEdTtuGsvtSHO-8coW8JxQ@mail.gmail.com>
How about requiring the page level directive to opt-in to that behavior by asking it to add a unsafe-allow-override in the referrer policy? Otherwise any html injection (img say) allows leaking the current uri via a referrer, which breaks the high level guarantee the referrer policy can provide. On Feb 12, 2015 11:35 PM, "Francois Marier" <francois@mozilla.com> wrote: > On 13/02/15 19:08, Devdatta Akhawe wrote: > > There is a huge advantage to the page wide policy since it makes > > reasoning about the security of a web application a lot more > > tractable. I would be worried about letting a local element over-ride > > the page wide policy > > As you point out, this is not part of the pull request, but what I was > thinking is that the element attribute would take precedence over the > page policy (at least the one defined in the meta tag, I'm not entirely > sure where the CSP policy would fit in). > > This is important because it allows someone to say: > > - no referrer for everything on this page > - except for this one link to an internal property because we need the > origin and path > > If we have the meta policy take precedence over the policy in each link, > then the web developer in the above example isn't going to be able to > use a restrictive global policy. > > Francois > >
Received on Friday, 13 February 2015 08:30:38 UTC