W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [referrer] Providing safer policy states

From: Francois Marier <francois@mozilla.com>
Date: Wed, 20 Apr 2016 08:10:40 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <57179BF0.2010305@mozilla.com>
On 19/04/16 10:05 PM, Brad Hill wrote:
> I would definitely be against changing the meaning of the existing
> policy states to break sending referrers across https->http transitions,
> since that was the biggest motivating use case for the feature, and it
> is very inconvenient to have to do browser sniffing and send different
> policies that sometimes say the same thing but mean different things
> across different UAs and different versions of the same UA.  
> Who will be the "customers" for these new states that we think it is a
> good idea to break / force change on the existing users?

Renaming the existing states so that the spec is safe-by-default is a
separate issue from adding the new states.

We could for example, add:


instead of renaming:

  origin -> unsafe-origin
  origin-when-cross-origin -> unsafe-origin-when-cross-origin

Received on Wednesday, 20 April 2016 15:11:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC