- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 8 Apr 2016 05:54:14 +0200
- To: "Emily Stark (Dunn)" <estark@google.com>
- Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, Jochen Eisinger <eisinger@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 8, 2016 at 5:35 AM, Emily Stark (Dunn) <estark@google.com> wrote: > Just because they have to change referrerpolicy="origin" to > referrerpolicy="'origin'"? That doesn't seem so burdensome to me. (And in > Chrome we would follow the normal Blink deprecation process, including > measuring usage and only removing support when it's low enough.) All churn is burdensome. And breaking this would actually break security guarantees of capability URLs. Also, see principles 2.1, 2.2, and 2.5 of https://www.w3.org/TR/html-design-principles/, and maybe 3.2. It's not exactly clear why we'd want to make backwards incompatible changes here. > We already removed the CSP referrer directive in > https://github.com/w3c/webappsec-referrer-policy/pull/14. What's different > here? Because it's a newer feature? I don't really know what the implementation status of the CSP referrer directive was so it's hard to comment on that. But if that was deployed by multiple browsers that too would be problematic. -- https://annevankesteren.nl/
Received on Friday, 8 April 2016 03:54:38 UTC