W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2016

Re: [REFERRER] Call for Consensus: Referrer Policy to Candidate Recommenation

From: Emily Stark <estark@google.com>
Date: Sun, 16 Oct 2016 09:09:34 -0700
Message-ID: <CAPP_2SaNF4svRHPXfBo+yM2qx2xFTAE4aQJ_Vx=wKEDFi0EjHQ@mail.gmail.com>
To: Evan J Johnson <e@ejj.io>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Evan,
If the browser recognizes the policy in a meta tag as a valid policy, then
it would override any policy set by a header for the document. This is
mentioned in
("the value of the latest one will be used"), though I'd happily take
suggestions on how to make it clearer!

On Sun, Oct 16, 2016 at 1:13 AM, Evan J Johnson <e@ejj.io> wrote:

> Glad to see this is being finished!
> I'm curious the order of precedence of the 5 different ways to set a
> referrer policy.
> This is very confusing in my opinion (something I will begin to say about
> a lot of specs). The spec reads like the following is possible, unless I'm
> missing something:
> 1. Blanket referrer policy set by header.
> 2. Different referrer policy set by meta tag.
> 3. Third policy as an attribute.
> I would assume the the most specific policy would win, in this case the
> noreferrer attribute, but which policy wins out of 1 and 2?
> evan
> On Sat, Oct 15, 2016, at 09:18 PM, Emily Stark wrote:
> This is a call for consensus of the WebAppSec WG to request advancement of
> Referrer Policy to Candidate Recommendation.
> The text for the proposed CR draft is to be the Editor's Draft at:
> https://w3c.github.io/webappsec-referrer-policy/
> This call for consensus will expire on 23-October-2016. Positive feedback
> is encouraged and lack of feedback is considered "no objection". Please
> send feedback to: public-webappsec@w3.org with a subject line beginning
> with '[REFERRER]'.
> Thanks,
> Emily
Received on Sunday, 16 October 2016 16:10:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:58 UTC