- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 5 Oct 2015 16:32:56 +0200
- To: Jochen Eisinger <eisinger@google.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 5, 2015 at 4:23 PM, Jochen Eisinger <eisinger@google.com> wrote: > Problem: some network loads include a referrer header, but there is no spec > that actually details where this header comes from (i.e. does not integrate > with Fetch currently) > > Proposal: for these loads, specify in the referrer spec that if the referrer > came from a JavaScript global environment, the referrer policy of that > global environment should be taken into account. Otherwise, the default > referrer policy should be used. > > does that make sense? It seems suboptimal. I think it would be better for stylesheets to use the referrer policy of their associated document. When you change the referrer policy for a given document, e.g., to none, you wouldn't want stylesheets to still leak the referrer through image fetches or some such. -- https://annevankesteren.nl/
Received on Monday, 5 October 2015 14:33:24 UTC