Re: [whatwg] meta referrer as always-origin
On Fri, Aug 15, 2014 at 11:12 PM, Anne van Kesteren ann...@annevk.nl wrote: On Sat, Aug 16, 2014 at 8:09 AM, Anne van Kesteren ann...@annevk.nl wrote: On Fri, Aug 15, 2014 at 11:28 PM, Jonas Sicking jo...@sicking.cc wrote: Could we introduce a always-origin value for meta referrer which combines the origin and always policies? That is called Origin Only: http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states It does not seem exposed as a value for meta name=referrer at this point. Actually, it seems that is the origin value, my bad. Why did you think that was behaving differently? Because the description for always contains the text Note: This might cause https referrers to be sent over the network as part of unencrypted HTTP requests., but the description for origin does not. / Jonas
Re: [whatwg] meta referrer as always-origin
On Fri, Aug 15, 2014 at 11:28 PM, Jonas Sicking jo...@sicking.cc wrote: Could we introduce a always-origin value for meta referrer which combines the origin and always policies? That is called Origin Only: http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states It does not seem exposed as a value for meta name=referrer at this point. -- http://annevankesteren.nl/
Re: [whatwg] meta referrer as always-origin
On Sat, Aug 16, 2014 at 8:09 AM, Anne van Kesteren ann...@annevk.nl wrote: On Fri, Aug 15, 2014 at 11:28 PM, Jonas Sicking jo...@sicking.cc wrote: Could we introduce a always-origin value for meta referrer which combines the origin and always policies? That is called Origin Only: http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states It does not seem exposed as a value for meta name=referrer at this point. Actually, it seems that is the origin value, my bad. Why did you think that was behaving differently? -- http://annevankesteren.nl/
[whatwg] meta referrer as always-origin
Hi All, Right now the meta referrer spec has two separate features: You can specify a origin policy which enables sending just the origin whenever a referrer is sent. You can also specify always in order to override UA policies like don't send referrer when navigating from https to http sites. However you currently can't combine the two. I.e. if you want to override UA policies, you are forced to send the whole URL string. This seems counter intuitive since that's when you might really want to just send the origin. Could we introduce a always-origin value for meta referrer which combines the origin and always policies? / Jonas
