- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 8 Jan 2015 09:51:17 +0100
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 7, 2015 at 8:56 PM, Brad Hill <hillbrad@gmail.com> wrote: > Ah. Thanks for the pointer to that discussion. If that behavior is > mandated by rel="noreferrer", I definitely think we should apply the same > logic when a referrer policy is 'none', but it seems it would also be useful > to be able to combine with any policy. (e.g. send origin-only referrer but > also disown window.opener) Yeah I think having a CSP way to disable opener would be great. I'm not sure we should couple it to the Referrer Policy in any way, it seems better those are orthogonal and only coupled through rel=noreferrer (e.g. once we add a way to set the referrer to none through the Fetch API it won't impact opener either). -- https://annevankesteren.nl/
Received on Thursday, 8 January 2015 08:51:44 UTC