Re: Move `referrer` from CSP to some other header.

+1

I am happy we are going back to the roots and not stuffing everything into
CSP.

On Fri, Oct 9, 2015 at 9:13 AM, Ian Melven <ian.melven@gmail.com> wrote:

>
> FWIW, i'm also pleased to see CSP heading back in this direction and away
> from the 'security kitchen sink' direction.
>
> ian
>
>
> On Fri, Oct 9, 2015 at 9:09 AM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> +1
>>
>> On Fri, Oct 9, 2015 at 6:55 AM Jochen Eisinger <eisinger@google.com>
>> wrote:
>>
>>> fine by me
>>>
>>> On Fri, Oct 9, 2015 at 3:45 PM Mike West <mkwst@google.com> wrote:
>>>
>>>> So, while rewriting most of CSP, I think I've decided that Brian was
>>>> right, way back in
>>>> https://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html
>>>> .
>>>> CSP is simpler to conceptualize as a purely restrictive mechanism, and
>>>> I'm on board with the idea that we should keep it that way.
>>>>
>>>> To that end, I would suggest that we drop the `referrer` directive
>>>> from the referrer policy spec, and turn it into a distinct header (how
>>>> about `referrer: [type]` (or, `referer: origin` in the interests of
>>>> historical amusement, and potentially turning on that exciting header
>>>> compression that HTTP/2 folks go on about)).
>>>>
>>>> CCing Brian, Brad, and Dan, who seemed most active in the conversation
>>>> a year ago.
>>>>
>>>> WDYT?
>>>>
>>>> --
>>>> Mike West <mkwst@google.com>, @mikewest
>>>>
>>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
>>>> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>>>> Gesellschaft: Hamburg, Geschäftsführer: Matthew Scott Sucherman, Paul
>>>> Terence Manicle
>>>> (Sorry; I'm legally required to add this exciting detail to emails.
>>>> Bleh.)
>>>>
>>>
>

Received on Saturday, 10 October 2015 07:57:32 UTC