I'd not heard of this.
But on reading it closely, I don't think it regulates the referer header, rather it prevent restricts the origins of resources that a page can load.So it doesn't work with referrer policies. but I could be wrong
Eric
On Jun 12, 2015, at 12:24 AM, Conal Tuohy <[log in to unmask]> wrote:
>
> Assuming your library web server has a front-end proxy (I guess this is
> pretty common) or at least runs inside Apache httpd or something, then
> rather than use the HTML meta tag, it might be easier to set the "referer"
> policy via the "Content-Security-Policy" HTTP header field.
>
> https://w3c.github.io/webappsec/specs/content-security-policy/#content-security-policy-header-field
>
> e.g. in Apache httpd with mod_headers:
>
> Header set Content-Security-Policy referrer 'no-referrer'
>
>
>
|