- From: Mike West <mkwst@google.com>
- Date: Fri, 9 Oct 2015 15:45:19 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Brian Smith <brian@briansmith.org>, Jochen Eisinger <eisinger@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
So, while rewriting most of CSP, I think I've decided that Brian was right, way back in https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html. CSP is simpler to conceptualize as a purely restrictive mechanism, and I'm on board with the idea that we should keep it that way. To that end, I would suggest that we drop the `referrer` directive from the referrer policy spec, and turn it into a distinct header (how about `referrer: [type]` (or, `referer: origin` in the interests of historical amusement, and potentially turning on that exciting header compression that HTTP/2 folks go on about)). CCing Brian, Brad, and Dan, who seemed most active in the conversation a year ago. WDYT? -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 9 October 2015 13:46:09 UTC