Re: advance Referrer Policy? from Jochen Eisinger on 2017-08-21 (public-webappsec@w3.org from August 2017)

From: Jochen Eisinger <eisinger@google.com>
Date: Mon, 21 Aug 2017 12:12:01 +0000
To: Mike West <mkwst@google.com>, Angelo Liao <huliao@microsoft.com>, Emily Stark <estark@google.com>, Franziskus Kiefer <fkiefer@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Message-ID: <CALjhuicJusAsatf3598bqrLNGMSM3xZQa1CEXNA66=tw3XHZkw@mail.gmail.com>

CSS doesn't really allow for feature detection of how it loads resources
off of the network, so sites that care about precise referrer control have
to resort to UA sniffing.

So maybe Firefox could indeed just implement that change and we're good to
go?

On Wed, Aug 9, 2017 at 8:53 AM Mike West <mkwst@google.com> wrote:

> Hrm. I don’t think that removing the expectations for CSS-initiated
> fetches is the right solution. We need to describe the way those fetches
> ought to work, and AFAIK, Boris and Jochen put a good amount of effort into
> coming up with the set of requirements in the document. If the group thinks
> that those are the right requirements, I’d prefer to see implementations
> align themselves to that agreement rather than throwing it overboard and
> leaving the behavior undefined.
>
> Does any vendor object to the requirements set out in
> https://w3c.github.io/webappsec-referrer-policy/#integration-with-css? If
> not, and it's just a question of resourcing, then one option to advance the
> document may be to reformulate them as non-normative suggestions for the
> CSS working group if/when they get around to restructuring their specs to
> cleanly integrate with Fetch?
>
> Another option would, of course, be to simply wait for another vendor to
> implement. Perhaps Mozilla could be encouraged to poke a bit at their
> implementation? Looks like 3 of the 7 tests in
> https://github.com/w3c/web-platform-tests/tree/master/referrer-policy/css-integration
> pass... Just 4 to go! :)
>
> -mike
>
> On Wed 9. Aug 2017 at 00:23, Angelo Liao <huliao@microsoft.com> wrote:
>
>> Edge in the current Windows insider build include most of the policies
>> except same-origin, strict-origin, strict-origin-when-cross-origin.
>> Supporting the remaining three is in our roadmap. We don’t intend to
>> implement the CSS bits anytime soon as well. If possible, can we pull out
>> the CSS section from the current CR so that we can transition the spec to
>> PR? In the meantime, we can create a Level 2 and keep the CSS section in
>> there.
>>
>>
>>
>> *From:* Franziskus Kiefer [mailto:fkiefer@mozilla.com]
>> *Sent:* Monday, July 24, 2017 1:29 AM
>> *To:* Emily Stark <estark@google.com>
>> *Cc:* Jochen Eisinger <eisinger@google.com>; Ann Onimos <
>> dveditz@mozilla.com>; public-webappsec@w3.org; Mike West <
>> mkwst@google.com>
>> *Subject:* Re: advance Referrer Policy?
>>
>>
>>
>> Firefox doesn't implement the CSS bits yet [1]. I'm not sure if this is
>> going to change any time soon.
>>
>>
>>
>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1330487
>>
>>
>>
>> On Sat, Jul 22, 2017 at 11:53 AM, Emily Stark <estark@google.com> wrote:
>>
>> Not sure -- Dan, do you know?
>>
>>
>>
>> On Fri, Jul 21, 2017 at 8:55 AM, Jochen Eisinger <eisinger@google.com>
>> wrote:
>>
>> Did Firefox implement the CSS specific bits meanwhile?
>>
>>
>>
>> On Fri, Jul 21, 2017 at 8:48 AM Emily Stark <estark@google.com> wrote:
>>
>> Hi all,
>>
>>
>>
>> Chrome's implementation of Referrer Policy includes the three newest
>> policy values in M61 (
>> https://www.chromestatus.com/feature/5634117806850048). I believe this
>> brings us to two interoperable implementations, covered by
>> web-platform-tests
>> <https://github.com/w3c/web-platform-tests/tree/master/referrer-policy>.
>> I'm told this means it might be time for a CfC to transition to PR.
>>
>>
>>
>> Thoughts?
>>
>>
>>
>> Thanks,
>>
>> Emily
>>
>>
>>
>>
>>
>

Received on Monday, 21 August 2017 12:12:37 UTC