W3C home > Mailing lists > Public > public-script-coord@w3.org > October to December 2012

Re: [whatwg] Document referrer and script entry point

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 23 Oct 2012 22:03:25 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>, public-script-coord@w3.org
Message-ID: <Pine.LNX.4.64.1210232158150.2471@ps20323.dreamhostps.com>
On Tue, 23 Oct 2012, Boris Zbarsky wrote:
> On 10/23/12 2:34 AM, Ian Hickson wrote:
> > I need to study whether we should do that, or change the definition of
> > source browsing context. It'd be a bit weird for them to be different.
> > Also, I expect that if it's good to remove the logic that's Gecko
> > currently has to do the Referer stuff, then it'd be equally good to remove
> > that logic for the other things the source browsing context is used for,
> > e.g. the sandbox security checks.
> > 
> > Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=19662
> 
> Security information is associated with compiled script, in the end, not 
> with browsing contexts.
> 
> Can you point to where we use source browsing contexts for security 
> checks? That seems very odd to me.

The navigation algorithm uses the sandbox flags from the source browsing 
context to determine whether the navigation is allowed, per the spec. I 
think it probably makes sense to change this to the entry script as well.


> Also note something I said earlier in this thread: if navigation is 
> triggered by calling click() on an <a> element, the referrer should 
> probably be the URI of the ownerDocument of that element, not anything 
> related to scripts in any way.

That's already the case, per spec. (The click() method causes, in due 
course, the activation behavior to trigger, which for <a> is defined as, 
in the simple case, "follow the hyperlink", which itself is defined as 
using the browsing context of the Document of the element as the source 
browsing context.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 23 October 2012 22:03:48 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:07 UTC