Re: Move `referrer` from CSP to some other header.

FWIW, i'm also pleased to see CSP heading back in this direction and away
from the 'security kitchen sink' direction.

ian


On Fri, Oct 9, 2015 at 9:09 AM, Brad Hill <hillbrad@gmail.com> wrote:

> +1
>
> On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com>
> wrote:
>
>> fine by me
>>
>> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote:
>>
>>> So, while rewriting most of CSP, I think I've decided that Brian was
>>> right, way back in
>>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
>>> CSP is simpler to conceptualize as a purely restrictive mechanism, and
>>> I'm on board with the idea that we should keep it that way.
>>>
>>> To that end, I would suggest that we drop the `referrer` directive
>>> from the referrer policy spec, and turn it into a distinct header (how
>>> about `referrer: [type]` (or, `referer: origin` in the interests of
>>> historical amusement, and potentially turning on that exciting header
>>> compression that HTTP/2 folks go on about)).
>>>
>>> CCing Brian, Brad, and Dan, who seemed most active in the conversation
>>> a year ago.
>>>
>>> WDYT?
>>>
>>> --
>>> Mike West <mkwst@google.com>, @mikewest
>>>
>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
>>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
>>> Terence Manicle
>>> (Sorry; I'm legally required to add this exciting detail to emails.
>>> Bleh.)
>>>
>>

Received on Friday, 9 October 2015 16:14:24 UTC