Re: [REFERRER] Call for Consensus: Referrer Policy to Candidate Recommenation

Ah thanks Emily. I can see it's a hard question to answer now. Whatever
is processed last, but with one edge cases. If I understand the
precedence is (from highest to lowest):

. ReferrerPolicy is no-referrer, or rel="noreferrer".
1. Implicit, via inheritence.
3. Any other referrerpolicy attribute that is not "no-referrer"
4. Meta-tag.
5.HTTP Header


On Sun, Oct 16, 2016, at 09:09 AM, Emily Stark wrote:
> Hi Evan,
> If the browser recognizes the policy in a meta tag as a valid policy,
> then it would override any policy set by a header for the document.
> This is mentioned in
> ("the value of the latest one will be used"), though I'd happily take
> suggestions on how to make it clearer!
> Emily
> On Sun, Oct 16, 2016 at 1:13 AM, Evan J Johnson <> wrote:
>> __
>> Glad to see this is being finished!
>> I'm curious the order of precedence of the 5 different ways to set a
>> referrer policy.
>> This is very confusing in my opinion (something I will begin to say
>> about a lot of specs). The spec reads like the following is possible,
>> unless I'm missing something:
>> 1. Blanket referrer policy set by header.
>> 2. Different referrer policy set by meta tag.
>> 3. Third policy as an attribute.
>> I would assume the the most specific policy would win, in this case
>> the noreferrer attribute, but which policy wins out of 1 and 2?
>> evan
>> On Sat, Oct 15, 2016, at 09:18 PM, Emily Stark wrote:
>>> This is a call for consensus of the WebAppSec WG to request
>>> advancement of Referrer Policy to Candidate Recommendation.
>>> The text for the proposed CR draft is to be the Editor's Draft at:
>>> This call for consensus will expire on 23-October-2016. Positive
>>> feedback is encouraged and lack of feedback is considered "no
>>> objection". Please send feedback to: with a
>>> subject line beginning with '[REFERRER]'.
>>> Thanks,
>>> Emily

Received on Monday, 17 October 2016 20:50:45 UTC