@@ -18,7 +18,6 @@ <h1>Content Security Policy Level 2</h1>
1818Indent: 2
1919At Risk: [[#csp-request-header]]
2020At Risk: [[#directive-child-src]]
21- At Risk: [[#directive-referrer]]
2221At Risk: [[#directive-reflected-xss]]
2322</ pre >
2423
@@ -316,10 +315,6 @@ <h3 id="changes-from-level-1">Changes from Level 1</h3>
316315 < a > < code > plugin-types</ code > </ a > controls the < a > protected
317316 resource</ a > 's ability to load specific types of plugins.
318317 </ li >
319- < li >
320- < a > < code > referrer</ code > </ a > controls the < a > protected resource</ a > 's
321- referrer policy [[!REFERRER]].
322- </ li >
323318 < li >
324319 < a > < code > reflected-xss</ code > </ a > controls the user agent's built-in
325320 heuristics to actively protect against XSS. It is meant to supplant
@@ -2849,58 +2844,6 @@ <h4 id="plugin-types-predeclaration">
28492844 </ section >
28502845 </ section >
28512846
2852- <!--
2853- ████████ ████████ ████████ ████████ ████████ ████████ ████████ ████████
2854- ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
2855- ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
2856- ████████ ██████ ██████ ██████ ████████ ████████ ██████ ████████
2857- ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
2858- ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
2859- ██ ██ ████████ ██ ████████ ██ ██ ██ ██ ████████ ██ ██
2860- -->
2861- < section >
2862- < h3 id ="directive-referrer "> < code > referrer</ code > </ h3 >
2863-
2864- The < code > < dfn > referrer</ dfn > </ code > directive specifies the referrer
2865- policy [[!REFERRER]] that the user agent applies when determining what
2866- referrer information should be included with requests made, and with
2867- < a spec ="HTML5 "> browsing contexts</ a > created from the context of the
2868- protected resource. The syntax for the name and value of the directive
2869- are described by the following ABNF grammar:
2870-
2871- < pre >
2872- directive-name = "referrer"
2873- directive-value = "no-referrer" / "no-referrer-when-downgrade" / "origin" / "origin-when-cross-origin" / "unsafe-url"
2874- </ pre >
2875-
2876- Note: The directive name does not share the HTTP header's misspelling.
2877-
2878- When < a > enforcing</ a > the < code > referrer</ code > directive, the user agent
2879- MUST execute [[!REFERRER]]'s
2880- < a href ="https://w3c.github.io/webappsec/specs/referrer-policy/#set-referrer-policy "> Set < var > environment</ var > 's referrer policy to < var > policy</ var > .</ a >
2881- algorithm on the < a > protected resource</ a > 's < a > JavaScript global
2882- environment</ a > using the result of executing the
2883- < a href ="https://w3c.github.io/webappsec/specs/referrer-policy/#determine-policy-for-token "> Determine < var > token</ var > 's Policy</ a >
2884- algorithm on the < code > referrer</ code > directive's value.
2885-
2886- < section class ="informative ">
2887- < h4 id ="referrer-usage "> Usage</ h4 >
2888-
2889- < em > This section is not normative.</ em >
2890-
2891- A protected resource can prevent referrer leakage by specifying
2892- < code > no-referrer</ code > as the value of its policy's
2893- < code > referrer</ code > directive:
2894-
2895- < pre >
2896- Content-Security-Policy: referrer no-referrer;
2897- </ pre >
2898-
2899- This will cause all requests made from the protected resource's
2900- context to have an empty < code > Referer</ code > [sic] header.
2901- </ section >
2902- </ section >
2903-
29042847<!--
29052848████████ ████████ ████████ ██ ████████ ██████ ████████ ████████ ████████ ██ ██ ██████ ██████
29062849██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
0 commit comments