Re: [referrer] Providing safer policy states

On 19/04/16 10:05 PM, Brad Hill wrote:
> I would definitely be against changing the meaning of the existing
> policy states to break sending referrers across https->http transitions,
> since that was the biggest motivating use case for the feature, and it
> is very inconvenient to have to do browser sniffing and send different
> policies that sometimes say the same thing but mean different things
> across different UAs and different versions of the same UA.  
> 
> Who will be the "customers" for these new states that we think it is a
> good idea to break / force change on the existing users?

Renaming the existing states so that the spec is safe-by-default is a
separate issue from adding the new states.

We could for example, add:

  safe-origin
  safe-origin-when-cross-origin

instead of renaming:

  origin -> unsafe-origin
  origin-when-cross-origin -> unsafe-origin-when-cross-origin

Francois

Received on Wednesday, 20 April 2016 15:11:11 UTC