On 13/02/15 21:30, Devdatta Akhawe wrote: > How about requiring the page level directive to opt-in to that behavior > by asking it to add a unsafe-allow-override in the referrer policy? > Otherwise any html injection (img say) allows leaking the current uri > via a referrer, which breaks the high level guarantee the referrer > policy can provide. Ah, good point about injections. The usual answer to injection problems is to "use CSP" so maybe the CSP policy should be a non-overridable global policy while the <meta> would be overridable? FrancoisReceived on Friday, 13 February 2015 09:00:08 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC