- From: Brian Smith <brian@briansmith.org>
- Date: Fri, 13 Feb 2015 10:50:27 -0800
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Francois Marier <francois@mozilla.com> wrote: > On 13/02/15 21:30, Devdatta Akhawe wrote: >> How about requiring the page level directive to opt-in to that behavior >> by asking it to add a unsafe-allow-override in the referrer policy? >> Otherwise any html injection (img say) allows leaking the current uri >> via a referrer, which breaks the high level guarantee the referrer >> policy can provide. > > Ah, good point about injections. The usual answer to injection problems > is to "use CSP" so maybe the CSP policy should be a non-overridable > global policy while the <meta> would be overridable? How about this?: 1. We set the defaults to be strict. 2. We allow the referrer attribute to make the policy less strict on a per-link/subresource basis. 3. The CSP directives are used to specify the maximum amount of disclosure of referrer information that everything will be capped at. Then we probably don't even need <meta referrer> at all. This is part of what I described at https://briansmith.org/referrer-01, except I abused the "rel" attribute instead of introducing a new "referrer" attribute. Cheers, Brian
Received on Friday, 13 February 2015 18:50:54 UTC