[fetch] Referrer (#80) from Anne van Kesteren on 2015-07-15 (public-webapps-github@w3.org from July 2015)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 15 Jul 2015 01:30:56 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/80@github.com>

This is my current thinking with regards to integrating referrer support into Fetch (and the `fetch()` API).

Referrer should be copied from an existing `Request` object. However, it should be reset if any modifications are made to that `Request` object. This addresses the pass-through scenario for service workers and in particular the CORS CSS case (where the referrer is not same-origin). See also https://github.com/w3c/webappsec/issues/413

Referrer should be allowed to be set to any same-origin URL (already possible through `pushState()` and other tricks).

Referrer should be allowed to be omitted.

Referrer will of course always be subject to the referrer policy of request's client.

In order to support the proposed `referrer=""` attribute there would also have to be a request's referrer policy (with `referrer=""` mapping to that rather than request's referrer). It's unclear at the moment what wins between a request's referrer policy and a request's client's referrer policy, though @sc0ttbeardsley from Yahoo! has expressed a preference for letting request's referrer policy win which seems to violate the spirit of CSP... See also https://github.com/w3c/webappsec/issues/409

@jeisinger and @mikewest, any chance we can resolve this quickly?

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/80

Received on Wednesday, 15 July 2015 08:31:28 UTC