- From: Francois Marier <francois@mozilla.com>
- Date: Fri, 13 Feb 2015 21:59:35 +1300
- To: public-webappsec@w3.org
On 13/02/15 21:30, Devdatta Akhawe wrote: > How about requiring the page level directive to opt-in to that behavior > by asking it to add a unsafe-allow-override in the referrer policy? > Otherwise any html injection (img say) allows leaking the current uri > via a referrer, which breaks the high level guarantee the referrer > policy can provide. Ah, good point about injections. The usual answer to injection problems is to "use CSP" so maybe the CSP policy should be a non-overridable global policy while the <meta> would be overridable? Francois
Received on Friday, 13 February 2015 09:00:08 UTC