- From: Sid Stamm <sid@mozilla.com>
- Date: Fri, 20 Mar 2015 16:35:33 -0400
- To: public-webappsec@w3.org
Reviving a thread from a bit more than one month ago: On Fri, 13 Feb 2015, Brian Smith <brian@briansmith.org> wrote: >How about this?: I like your direction here, Brian! >1. We set the defaults to be strict. >2. We allow the referrer attribute to make the policy less strict on a >per-link/subresource basis. I fully support these first two. What does this group think of making the default referrer "origin, but none when downgrade" for implementing user agents? Given my choice, I'd love the default to be no-referrer, but I realize that's a huge change and it seems to me that "origin" takes care of many privacy concerns here. >3. The CSP directives are used to specify the maximum amount of >disclosure of referrer information that everything will be capped at. I think the referrer directive should define "document default" (much like what meta referrer does) but I can imagine another directive or special token in the referrer directive that could make the CSP-defined policy a cap. Maybe something like: referrer max-policy origin-when-crossorigin >Then we probably don't even need <meta referrer> at all. I'm not sure that's the case. I think many site developers would still prefer to use a meta referrer to set a blanket default for a page. Depending on a server/CDN setup, devs may not be able to control the CSP per-request or per-document, but still be able to write meta tags. I much prefer CSP delivery of a referrer policy, but there are also use cases for meta tags. -Sid
Received on Friday, 20 March 2015 20:36:00 UTC