Intent to Deprecate and Remove: CSP 'referrer' directive

108 lượt xem
Chuyển tới thư đầu tiên chưa đọc

Emily Stark

chưa đọc,
15:38:28 23 thg 10, 201623/10/16
đến blink-dev

Primary eng (and PM) emails

est...@chromium.org


Summary

The CSP 'referrer' directive allows site owners to set a Referrer Policy (https://w3c.github.io/webappsec-referrer-policy/) for their page from an HTTP header. The 'referrer' directive has been removed from the spec and replaced with the Referrer-Policy header.


Motivation

This feature has very low usage (<= 0.0001% of page loads) and has been obviated by the Referrer-Policy header, which will ship in M56.


Compatibility Risk

Firefox is the only other browser that supports this CSP directive. Thus developers who are using this feature have already accepted the risk that the referrer policy will not be applied to their page for all their users.


Alternative implementation suggestion for web developers

The Referrer-Policy header or the <meta name="referrer"> tag.


Usage information from UseCounter

<= 0.0001% of page loads


Entry on the feature dashboard

There doesn't appear to be a chromestatus entry for CSP 'referrer', but the other Referrer Policy entries are https://www.chromestatus.com/feature/5639972996513792 and https://www.chromestatus.com/feature/5126747842412544


Requesting approval to remove too?

Yes

Philip Jägenstedt

chưa đọc,
16:57:33 23 thg 10, 201623/10/16
đến Emily Stark, blink-dev
LGTM1

TAMURA, Kent

chưa đọc,
23:29:45 23 thg 10, 201623/10/16
đến Philip Jägenstedt, Emily Stark, blink-dev
LGTM2

--
TAMURA Kent
Software Engineer, Google


Jochen Eisinger

chưa đọc,
00:37:49 24 thg 10, 201624/10/16
đến TAMURA, Kent, Philip Jägenstedt, Emily Stark, blink-dev
lgtm3

Philip Jägenstedt

chưa đọc,
06:23:32 24 thg 10, 201624/10/16
đến Jochen Eisinger, TAMURA, Kent, Emily Stark, blink-dev
I overlooked this from the other thread:

"""
Actually, in writing up the Intent to Remove, I realized that it looks like Firefox did in fact implement this: https://bugzilla.mozilla.org/show_bug.cgi?id=965727

Does that change the calculus here? Since IE/Edge/Safari don't support it, I think Mike's argument still stands that developers are already putting their users at risk if they're using this feature alone to specify a Referrer Policy.
"""

Have you filed a Gecko bug to have their support removed?

Emily Stark

chưa đọc,
11:17:43 24 thg 10, 201624/10/16
đến Philip Jägenstedt, Jochen Eisinger, TAMURA, Kent, Emily Stark, blink-dev
Looks like there is already a bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1302449

They are logging a console message for a couple releases, but they also don't have any usage data yet.

Philip Jägenstedt

chưa đọc,
11:32:29 24 thg 10, 201624/10/16
đến Emily Stark, Jochen Eisinger, TAMURA, Kent, blink-dev
Thanks Emily. Hope the removal works out. Given the support in Firefox I suppose we should be slightly less tolerant of breakage, but let's hope there's none at all.

Joe Medley

chưa đọc,
11:39:58 24 thg 10, 201624/10/16
đến Philip Jägenstedt, Emily Stark, Jochen Eisinger, TAMURA, Kent, blink-dev
Emily,

Since the intent is to notify developer's of changes, could you please create a separate status entry for this. Do you have an OWP tracking bug?

FYI Information on Chrome Status triggers much of Developer Relations's outreach. 

Joe

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195
If an API's not documented it doesn't exist.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Emily Stark

chưa đọc,
12:43:46 24 thg 10, 201624/10/16
đến Joe Medley, Philip Jägenstedt, Emily Stark, Jochen Eisinger, TAMURA, Kent, blink-dev
On Mon, Oct 24, 2016 at 8:39 AM, Joe Medley <jme...@google.com> wrote:
Emily,

Since the intent is to notify developer's of changes, could you please create a separate status entry for this. Do you have an OWP tracking bug?

My bad, I didn't realize those things were needed for deprecations/removals.

Joe Medley

chưa đọc,
15:05:41 24 thg 10, 201624/10/16
đến Emily Stark, Philip Jägenstedt, Jochen Eisinger, TAMURA, Kent, blink-dev

On Mon, Oct 24, 2016 at 9:43 AM, Emily Stark <est...@chromium.org> wrote:
https://bugs.chromium.org/p/chromium/issues/detail?id=658761

Thanks.

Are you deprecating and removing in a single version or is there going to be a deprecation period?

Emily Stark

chưa đọc,
15:24:47 24 thg 10, 201624/10/16
đến Joe Medley, Emily Stark, Philip Jägenstedt, Jochen Eisinger, TAMURA, Kent, blink-dev
On Mon, Oct 24, 2016 at 12:05 PM, Joe Medley <jme...@google.com> wrote:

On Mon, Oct 24, 2016 at 9:43 AM, Emily Stark <est...@chromium.org> wrote:
https://bugs.chromium.org/p/chromium/issues/detail?id=658761

Thanks.

Are you deprecating and removing in a single version or is there going to be a deprecation period?

Deprecating and removing in M56, because usage is so low and Edge/Safari don't support it at all.

valentina...@gmail.com

chưa đọc,
07:42:08 24 thg 2, 201724/2/17
đến blink-dev
yes
Trả lời tất cả
Trả lời tác giả
Chuyển tiếp
0 tin nhắn mới