Re: [REFERRER] Call for Consensus: Referrer Policy to Candidate Recommenation from Patrick Toomey on 2016-10-16 (public-webappsec@w3.org from October 2016)

From: Patrick Toomey <patrick.toomey@github.com>
Date: Sun, 16 Oct 2016 16:29:49 +0000
To: Emily Stark <estark@google.com>, Evan J Johnson <e@ejj.io>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAN4Q8dBsDCvBN66a=+5_pzB92jg3Pt39zLY-87ed1cArvZUBEg@mail.gmail.com>

Doh..I just realized I misread the example in the spec, and it wouldn't
work with a strictness ordering, since the goal there was to use unsafe-url
if it was supported.
On Sun, Oct 16, 2016 at 10:23 AM Patrick Toomey <patrick.toomey@github.com>
wrote:

> Was there discussion of doing something like csp for multiple policies,
> where the meta tag/subsequent policies can only make the policy more
> strict? If there was some strictness ordering defined (no referrer on one
> end and unsafe-url on the other), you could still support the multiple
> policy fallback example you mentioned by listing the most lenient policy
> first and the most strict policy last. Browsers that didn't recognize one
> would just skip it. Whereas, browsers that did recognize all policies would
> take the last/most strict one.
> On Sun, Oct 16, 2016 at 10:12 AM Emily Stark <estark@google.com> wrote:
>
> Hi Evan,
> If the browser recognizes the policy in a meta tag as a valid policy, then
> it would override any policy set by a header for the document. This is
> mentioned in
> https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values
> ("the value of the latest one will be used"), though I'd happily take
> suggestions on how to make it clearer!
> Emily
>
>
> On Sun, Oct 16, 2016 at 1:13 AM, Evan J Johnson <e@ejj.io> wrote:
>
> Glad to see this is being finished!
>
> I'm curious the order of precedence of the 5 different ways to set a
> referrer policy.
>
> This is very confusing in my opinion (something I will begin to say about
> a lot of specs). The spec reads like the following is possible, unless I'm
> missing something:
>
> 1. Blanket referrer policy set by header.
> 2. Different referrer policy set by meta tag.
> 3. Third policy as an attribute.
>
> I would assume the the most specific policy would win, in this case the
> noreferrer attribute, but which policy wins out of 1 and 2?
>
> evan
>
>
>
> On Sat, Oct 15, 2016, at 09:18 PM, Emily Stark wrote:
>
> This is a call for consensus of the WebAppSec WG to request advancement of
> Referrer Policy to Candidate Recommendation.
>
> The text for the proposed CR draft is to be the Editor's Draft at:
> https://w3c.github.io/webappsec-referrer-policy/
>
> This call for consensus will expire on 23-October-2016. Positive feedback
> is encouraged and lack of feedback is considered "no objection". Please
> send feedback to: public-webappsec@w3.org with a subject line beginning
> with '[REFERRER]'.
>
> Thanks,
> Emily
>
>
>
>

Received on Sunday, 16 October 2016 16:30:27 UTC