W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Move `referrer` from CSP to some other header.

From: Ian Melven <ian.melven@gmail.com>
Date: Fri, 9 Oct 2015 09:13:54 -0700
Message-ID: <CA+0m=FdNVmmtU_nNseisj8QMDnbOsKirUyb922+341u+_r8Tpw@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Jochen Eisinger <eisinger@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>, Dan Veditz <dveditz@mozilla.com>
FWIW, i'm also pleased to see CSP heading back in this direction and away
from the 'security kitchen sink' direction.

ian


On Fri, Oct 9, 2015 at 9:09 AM, Brad Hill <hillbrad@gmail.com> wrote:

> +1
>
> On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com>
> wrote:
>
>> fine by me
>>
>> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote:
>>
>>> So, while rewriting most of CSP, I think I've decided that Brian was
>>> right, way back in
>>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
>>> CSP is simpler to conceptualize as a purely restrictive mechanism, and
>>> I'm on board with the idea that we should keep it that way.
>>>
>>> To that end, I would suggest that we drop the `referrer` directive
>>> from the referrer policy spec, and turn it into a distinct header (how
>>> about `referrer: [type]` (or, `referer: origin` in the interests of
>>> historical amusement, and potentially turning on that exciting header
>>> compression that HTTP/2 folks go on about)).
>>>
>>> CCing Brian, Brad, and Dan, who seemed most active in the conversation
>>> a year ago.
>>>
>>> WDYT?
>>>
>>> --
>>> Mike West <mkwst@google.com>, @mikewest
>>>
>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
>>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
>>> Terence Manicle
>>> (Sorry; I'm legally required to add this exciting detail to emails.
>>> Bleh.)
>>>
>>
Received on Friday, 9 October 2015 16:14:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC