On 13/02/15 21:30, Devdatta Akhawe wrote: > How about requiring the page level directive to opt-in to that behavior > by asking it to add a unsafe-allow-override in the referrer policy? > Otherwise any html injection (img say) allows leaking the current uri > via a referrer, which breaks the high level guarantee the referrer > policy can provide. Ah, good point about injections. The usual answer to injection problems is to "use CSP" so maybe the CSP policy should be a non-overridable global policy while the <meta> would be overridable? FrancoisReceived on Friday, 13 February 2015 09:00:08 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC