W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Mike West <mkwst@google.com>
Date: Fri, 1 May 2015 07:39:18 -0700
Message-ID: <CAKXHy=cE0jJU0CkR+NpsQrORX3_FxdhaCaTLnrjKCrEgYjnMTg@mail.gmail.com>
To: Sid Stamm <sid@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Jochen Eisinger <eisinger@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, May 1, 2015 at 5:22 AM, Sid Stamm <sid@mozilla.com> wrote:

> This all sounds to me like a good direction.
>
> 1. Align referrer policy with CSP propagation and reuse
> 2. make sure about:blank inherits.
>

I think that's a reasonable conclusion.


> How do we best capture this in the spec?  Would it make sense to
> actually call out that it's inherited with *any* inherited script
> security context, or address about:blank specifically?
>

What inheritance cases beyond `about:blank` are you worried about?

I'll take a stab at rewriting the relevant bits of the spec in the vaguely
near future: https://github.com/w3c/webappsec/issues/328.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 1 May 2015 14:40:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC