- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Mon, 5 Oct 2015 11:19:34 -0400
- To: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>
- Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 10/5/15 10:23 AM, Jochen Eisinger wrote: > Problem: some network loads include a referrer header, but there is no > spec that actually details where this header comes from (i.e. does not > integrate with Fetch currently) > > Proposal: for these loads, specify in the referrer spec that if the > referrer came from a JavaScript global environment, the referrer policy > of that global environment should be taken into account. Otherwise, the > default referrer policy should be used. > > does that make sense? Thank you for clarifying the situation. What you sayd makes sense as a proposal, but it leaves open questions about what it means to come "from a JavaScript global environment" (e.g. is that true for stylesheets that come from <style> elements?) and it seems like it allows various ways of leaking more referrer information than pages with a restrictive referrer policy expect. It seems safer to identify which document the load is associated with (if any) and apply that document's referrer policy... Of course that may involve changes to the specs that define that the load happens. :( -Boris
Received on Monday, 5 October 2015 15:20:05 UTC