W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [referrer] Providing safer policy states

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 8 Apr 2016 05:54:14 +0200
Message-ID: <CADnb78iBQY2_4X6Hq+CVruAKgGwUKepZre41=pL=Y-CvKZ4d9g@mail.gmail.com>
To: "Emily Stark (Dunn)" <estark@google.com>
Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, Jochen Eisinger <eisinger@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 8, 2016 at 5:35 AM, Emily Stark (Dunn) <estark@google.com> wrote:
> Just because they have to change referrerpolicy="origin" to
> referrerpolicy="'origin'"? That doesn't seem so burdensome to me. (And in
> Chrome we would follow the normal Blink deprecation process, including
> measuring usage and only removing support when it's low enough.)

All churn is burdensome. And breaking this would actually break
security guarantees of capability URLs. Also, see principles 2.1, 2.2,
and 2.5 of https://www.w3.org/TR/html-design-principles/, and maybe
3.2. It's not exactly clear why we'd want to make backwards
incompatible changes here.

> We already removed the CSP referrer directive in
> https://github.com/w3c/webappsec-referrer-policy/pull/14. What's different
> here? Because it's a newer feature?

I don't really know what the implementation status of the CSP referrer
directive was so it's hard to comment on that. But if that was
deployed by multiple browsers that too would be problematic.

Received on Friday, 8 April 2016 03:54:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC