Re: Referrer value for resources fetched from CSS

+jochen, bz

I remember talking with Boris about this, but I can't find the thread at
the moment. My vague recollection was that Chrome used the URL of the
document that loaded the CSS file, and Firefox used the CSS file. It sounds
like that might have changed in the relatively recent past.

If that's the case, we should update the spec. And by "we", I mean Jochen.
:)

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Sep 8, 2015 at 1:01 PM, Yoav Weiss <yoav@yoav.ws> wrote:

> Hi,
>
> When going through the definitions and values of the Referer header in the referrer
> policy <https://w3c.github.io/webappsec/specs/referrer-policy/> spec, I
> see that the "No referrer when downgrade" policy (which is the default) is
> defined as "sends a full URL", but it's not clear to me what that URL
> should be. My default assumption would be that it is the URL of the
> settings object/main document.
>
> However, when looking at font resources fetched cross-origin that were
> defined by an external stylesheet, I see that the "referer" value is that
> of the stylesheet, rather than that of the main document, in both Firefox
> and Chrome.
>
> So, I guess my questions are:
> * Are I missing something regarding the definitions? Is an external
> stylesheet defined as a settings object of its own?
> * When the referrer policy is defined as "origin", what should the referer
> on such a font resource be?
>
> Cheers :)
> Yoav
>
>