W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Move `referrer` from CSP to some other header.

From: Mike West <mkwst@google.com>
Date: Fri, 9 Oct 2015 15:45:19 +0200
Message-ID: <CAKXHy=f=v5NF+Prz1araV6f=GMNk4R17m8vJB_s=DC+m_i8mMQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brian Smith <brian@briansmith.org>, Jochen Eisinger <eisinger@google.com>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>
So, while rewriting most of CSP, I think I've decided that Brian was
right, way back in
https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
CSP is simpler to conceptualize as a purely restrictive mechanism, and
I'm on board with the idea that we should keep it that way.

To that end, I would suggest that we drop the `referrer` directive
from the referrer policy spec, and turn it into a distinct header (how
about `referrer: [type]` (or, `referer: origin` in the interests of
historical amusement, and potentially turning on that exciting header
compression that HTTP/2 folks go on about)).

CCing Brian, Brad, and Dan, who seemed most active in the conversation
a year ago.

WDYT?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
Terence Manicle
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 9 October 2015 13:46:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC