- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 23 Jul 2014 20:14:13 +0000 (UTC)
- To: public-webappsec@w3.org
- cc: Anne van Kesteren <annevk@annevk.nl>
- Message-ID: <alpine.DEB.2.00.1407232000470.8748@ps20323.dreamhostps.com>
In "6.2 Determine request¢s Referrer.", the algorithm carefully navigates itself to a JavaScript global environment record, and then says: let referrerURL be the URL of environment What is that URL? The JavaScript spec doesn't mention anything about global environment records having URLs. In fact I'm rather confused about why we're doing anything with JavaScript global environment records here. Why does Fetch use one as the "client"? Lots of user agents don't have any JS implementation at all, but they still do fetches and still need referers. The way the HTML spec did the referrer logic involved Documents. The old algorithm is still in the spec (I haven't yet integrated with Fetch): http://www.whatwg.org/specs/web-apps/current-work/multipage/infrastructure.html#fetch See steps 1 through 8. There's also other logic from those steps that seem to be missing entirely now. For example, where are about:blank and data:* URLs dropped? Where is the logic that drops Referers entirely when the origin is a unique tuple? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 23 July 2014 20:14:36 UTC