W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

[REFERRER] Where does "Determine request¢s Referrer" get its URL from?

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 23 Jul 2014 20:14:13 +0000 (UTC)
To: public-webappsec@w3.org
cc: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <alpine.DEB.2.00.1407232000470.8748@ps20323.dreamhostps.com>

In "6.2 Determine request¢s Referrer.", the algorithm carefully navigates 
itself to a JavaScript global environment record, and then says:

  let referrerURL be the URL of environment

What is that URL? The JavaScript spec doesn't mention anything about 
global environment records having URLs.

In fact I'm rather confused about why we're doing anything with JavaScript 
global environment records here. Why does Fetch use one as the "client"? 
Lots of user agents don't have any JS implementation at all, but they 
still do fetches and still need referers.

The way the HTML spec did the referrer logic involved Documents. The old 
algorithm is still in the spec (I haven't yet integrated with Fetch):

   http://www.whatwg.org/specs/web-apps/current-work/multipage/infrastructure.html#fetch

See steps 1 through 8.

There's also other logic from those steps that seem to be missing entirely 
now. For example, where are about:blank and data:* URLs dropped? Where is 
the logic that drops Referers entirely when the origin is a unique tuple?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 23 July 2014 20:14:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC