Re: [csswg-drafts] [css-fonts] Clarify: use of referrers in font fetching and relationship with preloads (#6775) from Anne van Kesteren via GitHub on 2021-10-29 (public-css-archive@w3.org from October 2021)

From: Anne van Kesteren via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 Oct 2021 07:03:16 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-954481994-1635490994-sysbot+gh@w3.org>

1. Using the URL of the style sheet as referrer is correct. This leaks the least amount of data to style sheet subresources. We agreed upon this behavior quite a while ago and it's defined in https://w3c.github.io/webappsec-referrer-policy/#integration-with-css because CSS lacks Fetch integration.
   1. The document is still the authority for the fetch, so `Sec-Fetch-Site` should be the same I think.
2. I'm not sure what CORS has to do with the referrer.
3. The Chromium changeset in https://github.com/w3c/csswg-drafts/issues/6775#issuecomment-953808517 appears to be about inline style sheets grabbing the document base URL rather than the document URL per the description. I didn't look at the code change. Can you clarify how it's related?

I think this argues for not taking referrer into account for caches and that's it.

@domfarolino this might interest you.

-- 
GitHub Notification of comment by annevk
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/6775#issuecomment-954481994 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 29 October 2021 07:03:18 UTC