Re: [referrer] Providing safer policy states

On Fri, Apr 8, 2016 at 5:35 AM, Emily Stark (Dunn) <estark@google.com> wrote:
> Just because they have to change referrerpolicy="origin" to
> referrerpolicy="'origin'"? That doesn't seem so burdensome to me. (And in
> Chrome we would follow the normal Blink deprecation process, including
> measuring usage and only removing support when it's low enough.)

All churn is burdensome. And breaking this would actually break
security guarantees of capability URLs. Also, see principles 2.1, 2.2,
and 2.5 of https://www.w3.org/TR/html-design-principles/, and maybe
3.2. It's not exactly clear why we'd want to make backwards
incompatible changes here.


> We already removed the CSP referrer directive in
> https://github.com/w3c/webappsec-referrer-policy/pull/14. What's different
> here? Because it's a newer feature?

I don't really know what the implementation status of the CSP referrer
directive was so it's hard to comment on that. But if that was
deployed by multiple browsers that too would be problematic.


-- 
https://annevankesteren.nl/

Received on Friday, 8 April 2016 03:54:38 UTC