- From: Mike West <mkwst@google.com>
- Date: Thu, 24 Jul 2014 10:27:54 +0200
- To: Ian Hickson <ian@hixie.ch>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Jochen Eisinger <eisinger@google.com>
- Message-ID: <CAKXHy=fcofVQyC4CG_kD-hrVFAF9HY8KGqOXyPhj3kDAWw5Egg@mail.gmail.com>
On Wed, Jul 23, 2014 at 10:14 PM, Ian Hickson <ian@hixie.ch> wrote: > > In "6.2 Determine request’s Referrer.", the algorithm carefully navigates > itself to a JavaScript global environment record, and then says: > > let referrerURL be the URL of environment > > What is that URL? The JavaScript spec doesn't mention anything about > global environment records having URLs. Yes, this was sloppy. I've pushed https://github.com/w3c/webappsec/commit/765321dbf1bcc5adfc5d3e517fa64628719faa6c in the hopes of cleaning it up. Does the new https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer make more sense? > In fact I'm rather confused about why we're doing anything with JavaScript > global environment records here. The goal was to cover requests both from documents and workers (Service Workers in particular). I was looking around for a better term, and this seemed like the right concept to grab. See the top of http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0006.html for a bit of the discussion. > Why does Fetch use one as the "client"? > Lots of user agents don't have any JS implementation at all, but they > still do fetches and still need referers. Anne? > There's also other logic from those steps that seem to be missing entirely > now. For example, where are about:blank and data:* URLs dropped? 'about:', 'data:', and other non-relative schemes are dropped in step 1 of "6.3 Strip url for use as a referrer", which steps 5 and 6 of the "determine" algorithm invoke. > Where is the logic that drops Referers entirely when the origin is a > unique tuple? Hrm. I didn't realize this was a requirement. Chrome doesn't adhere to this rule, but Firefox does. Filed https://crbug.com/397011 and added https://github.com/w3c/webappsec/commit/51bc0fb4213621ece844c9f7d67eb87b24d44786 to bring the spec into line. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 24 July 2014 08:28:43 UTC