W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Quoted Referrer-Policy values

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 7 Sep 2016 18:26:15 +0200
Message-ID: <CADnb78gM5ZjMtysOh5Y6Ua4ry64Lm1jXZGs-K1Rs77S0reBMAw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Emily Stark (Dunn)" <estark@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Francois Marier <francois@mozilla.com>, Franziskus Kiefer <fkiefer@mozilla.com>
On Wed, Sep 7, 2016 at 5:59 PM, Mike West <mkwst@google.com> wrote:
> 1. We're defining more headers than anyone else at the moment, so we should
> probably have an opinion.

Yeah, I don't think we can do it in isolation though. We should also
figure out the parsing for existing headers and figure out some kind
of holistic strategy. Just using JSON for headers we add (but not
necessarily all, unless you have a plan for catching all new headers
that get into browsers) might help, but unless there's agreement we
can never get to the point where all existing headers are in some
safelist and everything new gets parsed as JSON.

> 2. Quoting things is fairly agnostic; it leaves room for a number of more
> structure options that barewords don't. It's also super low-cost. Seems like
> a reasonable baby step.

Is quoted-string in HTTP case-insensitive? This probably shouldn't be
if we want actual JSON.

Received on Wednesday, 7 September 2016 16:26:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC