W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Move `referrer` from CSP to some other header.

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 9 Oct 2015 10:56:32 -0700
Message-ID: <CAPfop_0pA095YiEuCHw6FhiJpWUbCa6o7w45Kzc2EF7y_jtDfg@mail.gmail.com>
To: Ian Melven <ian.melven@gmail.com>
Cc: Brad Hill <hillbrad@gmail.com>, Jochen Eisinger <eisinger@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>, Dan Veditz <dveditz@mozilla.com>
+1


On 9 October 2015 at 09:13, Ian Melven <ian.melven@gmail.com> wrote:
>
> FWIW, i'm also pleased to see CSP heading back in this direction and away
> from the 'security kitchen sink' direction.
>
> ian
>
>
> On Fri, Oct 9, 2015 at 9:09 AM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>> +1
>>
>> On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com>
>> wrote:
>>>
>>> fine by me
>>>
>>> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote:
>>>>
>>>> So, while rewriting most of CSP, I think I've decided that Brian was
>>>> right, way back in
>>>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html.
>>>> CSP is simpler to conceptualize as a purely restrictive mechanism, and
>>>> I'm on board with the idea that we should keep it that way.
>>>>
>>>> To that end, I would suggest that we drop the `referrer` directive
>>>> from the referrer policy spec, and turn it into a distinct header (how
>>>> about `referrer: [type]` (or, `referer: origin` in the interests of
>>>> historical amusement, and potentially turning on that exciting header
>>>> compression that HTTP/2 folks go on about)).
>>>>
>>>> CCing Brian, Brad, and Dan, who seemed most active in the conversation
>>>> a year ago.
>>>>
>>>> WDYT?
>>>>
>>>> --
>>>> Mike West <mkwst@google.com>, @mikewest
>>>>
>>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
>>>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>>>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
>>>> Terence Manicle
>>>> (Sorry; I'm legally required to add this exciting detail to emails.
>>>> Bleh.)
>
>
Received on Friday, 9 October 2015 17:57:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC