W3C home > Mailing lists > Public > public-script-coord@w3.org > October to December 2012

Re: [whatwg] Document referrer and script entry point

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 23 Oct 2012 22:03:25 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>, public-script-coord@w3.org
Message-ID: <Pine.LNX.4.64.1210232158150.2471@ps20323.dreamhostps.com>
On Tue, 23 Oct 2012, Boris Zbarsky wrote:
> On 10/23/12 2:34 AM, Ian Hickson wrote:
> > I need to study whether we should do that, or change the definition of
> > source browsing context. It'd be a bit weird for them to be different.
> > Also, I expect that if it's good to remove the logic that's Gecko
> > currently has to do the Referer stuff, then it'd be equally good to remove
> > that logic for the other things the source browsing context is used for,
> > e.g. the sandbox security checks.
> > 
> > Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=19662
> Security information is associated with compiled script, in the end, not 
> with browsing contexts.
> Can you point to where we use source browsing contexts for security 
> checks? That seems very odd to me.

The navigation algorithm uses the sandbox flags from the source browsing 
context to determine whether the navigation is allowed, per the spec. I 
think it probably makes sense to change this to the entry script as well.

> Also note something I said earlier in this thread: if navigation is 
> triggered by calling click() on an <a> element, the referrer should 
> probably be the URI of the ownerDocument of that element, not anything 
> related to scripts in any way.

That's already the case, per spec. (The click() method causes, in due 
course, the activation behavior to trigger, which for <a> is defined as, 
in the simple case, "follow the hyperlink", which itself is defined as 
using the browsing context of the Document of the element as the source 
browsing context.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 23 October 2012 22:03:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:37:47 UTC