W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [referrer] Providing safer policy states

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 6 Apr 2016 08:51:02 +0200
Message-ID: <CADnb78ixe4UnzLNOgt78_uv21Tjqnskz45f-7hsLCZ3zkrym-g@mail.gmail.com>
To: "Emily Stark (Dunn)" <estark@google.com>
Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, Jochen Eisinger <eisinger@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Apr 6, 2016 at 5:43 AM, Emily Stark (Dunn) <estark@google.com> wrote:
> Adding these new policy states sounds reasonable to me. However, I want to
> note that there's been discussion about expanding the spec to a JSON-based
> syntax that allows much more flexibility. For example, we might want to
> express the policy "'unsafe-url' for navigations to and subresources from
> myadnetwork.com, and 'none' for all other origins" -- maybe using some
> syntax like { "unsafe-url": ["myadnetwork.com", "'self'"], "none": "*"}.
> (I'm not suggesting that as an actual proposal for the syntax, just an idea
> of the kind of thing we were thinking about.) In that world, the policy
> states would just be shorthand for the most commonly used policies.

How would you transition the Fetch API and HTML referrerpolicy attribute?


-- 
https://annevankesteren.nl/
Received on Wednesday, 6 April 2016 06:51:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:19 UTC