W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [REFERRER] Combination of referrer directive values

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 11:17:21 +0100
Message-ID: <CAKXHy=egnkHa9OGmumauOdesHLKBdKH95OKkGwcCa=57VYrMSw@mail.gmail.com>
To: sourcekick <sourcekick@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
In the current spec, no, there's no way to create combinations of different
directive values.

Brian has raised some fundamental issues with the current spec, though,
which I think we'll need to address with some broad changes. That might get
us closer to something that would address your use case, but it's not
implemented any any browsers today.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Sun, Dec 28, 2014 at 8:16 PM, sourcekick <sourcekick@gmail.com> wrote:

> Hi,
> is it possible to combine certain choices of the referrer policy?
> If not, please consider making combinations possible or alternatively add
> more choices. That is, without making the whole space of possibilities too
> complicated.
> In particular I would be interested in the following combination:
> Origin When Cross-Origin AND No Referrer When Downgrade
> The intention here would be to not send a referrer at all over an insecure
> connection (http) while enforcing the rules of "Origin When Cross-Origin"
> regarding cases with secure connections (https).
> Note that
> http://w3c.github.io/webappsec/specs/referrer-policy/#determine-policy-for-token
> and
> http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states
> and
> https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer
> read like combinatios are not possible.
> -- sk
Received on Thursday, 8 January 2015 10:18:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC