Re: Move `referrer` from CSP to some other header.

+1

On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com> wrote:

> fine by me
>
> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote:
>
>> So, while rewriting most of CSP, I think I've decided that Brian was
>> right, way back in
>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
>> CSP is simpler to conceptualize as a purely restrictive mechanism, and
>> I'm on board with the idea that we should keep it that way.
>>
>> To that end, I would suggest that we drop the `referrer` directive
>> from the referrer policy spec, and turn it into a distinct header (how
>> about `referrer: [type]` (or, `referer: origin` in the interests of
>> historical amusement, and potentially turning on that exciting header
>> compression that HTTP/2 folks go on about)).
>>
>> CCing Brian, Brad, and Dan, who seemed most active in the conversation
>> a year ago.
>>
>> WDYT?
>>
>> --
>> Mike West <mkwst@google.com>, @mikewest
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
>> Terence Manicle
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>
>

Received on Friday, 9 October 2015 16:10:21 UTC