- From: Mike West <mkwst@google.com>
- Date: Thu, 8 Jan 2015 11:17:21 +0100
- To: sourcekick <sourcekick@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=egnkHa9OGmumauOdesHLKBdKH95OKkGwcCa=57VYrMSw@mail.gmail.com>
In the current spec, no, there's no way to create combinations of different directive values. Brian has raised some fundamental issues with the current spec, though, which I think we'll need to address with some broad changes. That might get us closer to something that would address your use case, but it's not implemented any any browsers today. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Sun, Dec 28, 2014 at 8:16 PM, sourcekick <sourcekick@gmail.com> wrote: > Hi, > > is it possible to combine certain choices of the referrer policy? > > If not, please consider making combinations possible or alternatively add > more choices. That is, without making the whole space of possibilities too > complicated. > > > In particular I would be interested in the following combination: > Origin When Cross-Origin AND No Referrer When Downgrade > The intention here would be to not send a referrer at all over an insecure > connection (http) while enforcing the rules of "Origin When Cross-Origin" > regarding cases with secure connections (https). > > > Note that > http://w3c.github.io/webappsec/specs/referrer-policy/#determine-policy-for-token > and > http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states > and > https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer > read like combinatios are not possible. > > -- sk >
Received on Thursday, 8 January 2015 10:18:10 UTC