- From: Francois Marier <francois@mozilla.com>
- Date: Wed, 20 Apr 2016 08:10:40 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 19/04/16 10:05 PM, Brad Hill wrote: > I would definitely be against changing the meaning of the existing > policy states to break sending referrers across https->http transitions, > since that was the biggest motivating use case for the feature, and it > is very inconvenient to have to do browser sniffing and send different > policies that sometimes say the same thing but mean different things > across different UAs and different versions of the same UA. > > Who will be the "customers" for these new states that we think it is a > good idea to break / force change on the existing users? Renaming the existing states so that the spec is safe-by-default is a separate issue from adding the new states. We could for example, add: safe-origin safe-origin-when-cross-origin instead of renaming: origin -> unsafe-origin origin-when-cross-origin -> unsafe-origin-when-cross-origin Francois
Received on Wednesday, 20 April 2016 15:11:11 UTC