Re: Move `referrer` from CSP to some other header.

fine by me

On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote:

> So, while rewriting most of CSP, I think I've decided that Brian was
> right, way back in
> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
> CSP is simpler to conceptualize as a purely restrictive mechanism, and
> I'm on board with the idea that we should keep it that way.
>
> To that end, I would suggest that we drop the `referrer` directive
> from the referrer policy spec, and turn it into a distinct header (how
> about `referrer: [type]` (or, `referer: origin` in the interests of
> historical amusement, and potentially turning on that exciting header
> compression that HTTP/2 folks go on about)).
>
> CCing Brian, Brad, and Dan, who seemed most active in the conversation
> a year ago.
>
> WDYT?
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
> Terence Manicle
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

Received on Friday, 9 October 2015 13:56:27 UTC