Re: [REFERRER] Call for Consensus: Referrer Policy to Candidate Recommenation from Patrick Toomey on 2016-10-16 (public-webappsec@w3.org from October 2016)

From: Patrick Toomey <patrick.toomey@github.com>
Date: Sun, 16 Oct 2016 16:23:01 +0000
To: Emily Stark <estark@google.com>, Evan J Johnson <e@ejj.io>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAN4Q8dCgWd8qPQLE3M9hf4-MF90zu2k7zX4xTPtKNj4+6zHUFg@mail.gmail.com>

Was there discussion of doing something like csp for multiple policies,
where the meta tag/subsequent policies can only make the policy more
strict? If there was some strictness ordering defined (no referrer on one
end and unsafe-url on the other), you could still support the multiple
policy fallback example you mentioned by listing the most lenient policy
first and the most strict policy last. Browsers that didn't recognize one
would just skip it. Whereas, browsers that did recognize all policies would
take the last/most strict one.
On Sun, Oct 16, 2016 at 10:12 AM Emily Stark <estark@google.com> wrote:

> Hi Evan,
> If the browser recognizes the policy in a meta tag as a valid policy, then
> it would override any policy set by a header for the document. This is
> mentioned in
> https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values
> ("the value of the latest one will be used"), though I'd happily take
> suggestions on how to make it clearer!
> Emily
>
>
> On Sun, Oct 16, 2016 at 1:13 AM, Evan J Johnson <e@ejj.io> wrote:
>
> Glad to see this is being finished!
>
> I'm curious the order of precedence of the 5 different ways to set a
> referrer policy.
>
> This is very confusing in my opinion (something I will begin to say about
> a lot of specs). The spec reads like the following is possible, unless I'm
> missing something:
>
> 1. Blanket referrer policy set by header.
> 2. Different referrer policy set by meta tag.
> 3. Third policy as an attribute.
>
> I would assume the the most specific policy would win, in this case the
> noreferrer attribute, but which policy wins out of 1 and 2?
>
> evan
>
>
>
> On Sat, Oct 15, 2016, at 09:18 PM, Emily Stark wrote:
>
> This is a call for consensus of the WebAppSec WG to request advancement of
> Referrer Policy to Candidate Recommendation.
>
> The text for the proposed CR draft is to be the Editor's Draft at:
> https://w3c.github.io/webappsec-referrer-policy/
>
> This call for consensus will expire on 23-October-2016. Positive feedback
> is encouraged and lack of feedback is considered "no objection". Please
> send feedback to: public-webappsec@w3.org with a subject line beginning
> with '[REFERRER]'.
>
> Thanks,
> Emily
>
>
>
>

Received on Sunday, 16 October 2016 16:23:39 UTC