W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [Referrer] Adding a referrer attribute delivery mechanism

From: Francois Marier <francois@mozilla.com>
Date: Fri, 13 Feb 2015 21:59:35 +1300
Message-ID: <54DDBCF7.3060105@mozilla.com>
To: public-webappsec@w3.org
On 13/02/15 21:30, Devdatta Akhawe wrote:
> How about requiring the page level directive to opt-in to that behavior
> by asking it to add a unsafe-allow-override in the referrer policy?
> Otherwise any html injection (img say) allows leaking the current uri
> via a referrer, which breaks the high level guarantee the referrer
> policy can provide.

Ah, good point about injections. The usual answer to injection problems
is to "use CSP" so maybe the CSP policy should be a non-overridable
global policy while the <meta> would be overridable?

Francois
Received on Friday, 13 February 2015 09:00:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC