- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 9 Oct 2015 10:56:32 -0700
- To: Ian Melven <ian.melven@gmail.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Jochen Eisinger <eisinger@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>, Dan Veditz <dveditz@mozilla.com>
+1 On 9 October 2015 at 09:13, Ian Melven <ian.melven@gmail.com> wrote: > > FWIW, i'm also pleased to see CSP heading back in this direction and away > from the 'security kitchen sink' direction. > > ian > > > On Fri, Oct 9, 2015 at 9:09 AM, Brad Hill <hillbrad@gmail.com> wrote: >> >> +1 >> >> On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com> >> wrote: >>> >>> fine by me >>> >>> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote: >>>> >>>> So, while rewriting most of CSP, I think I've decided that Brian was >>>> right, way back in >>>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html. >>>> CSP is simpler to conceptualize as a purely restrictive mechanism, and >>>> I'm on board with the idea that we should keep it that way. >>>> >>>> To that end, I would suggest that we drop the `referrer` directive >>>> from the referrer policy spec, and turn it into a distinct header (how >>>> about `referrer: [type]` (or, `referer: origin` in the interests of >>>> historical amusement, and potentially turning on that exciting header >>>> compression that HTTP/2 folks go on about)). >>>> >>>> CCing Brian, Brad, and Dan, who seemed most active in the conversation >>>> a year ago. >>>> >>>> WDYT? >>>> >>>> -- >>>> Mike West <mkwst@google.com>, @mikewest >>>> >>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, >>>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der >>>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul >>>> Terence Manicle >>>> (Sorry; I'm legally required to add this exciting detail to emails. >>>> Bleh.) > >
Received on Friday, 9 October 2015 17:57:20 UTC