W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [REFERRER] Where does "Determine request’s Referrer" get its URL from?

From: Mike West <mkwst@google.com>
Date: Thu, 24 Jul 2014 10:27:54 +0200
Message-ID: <CAKXHy=fcofVQyC4CG_kD-hrVFAF9HY8KGqOXyPhj3kDAWw5Egg@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Jochen Eisinger <eisinger@google.com>
On Wed, Jul 23, 2014 at 10:14 PM, Ian Hickson <ian@hixie.ch> wrote:
>
> In "6.2 Determine request’s Referrer.", the algorithm carefully navigates
> itself to a JavaScript global environment record, and then says:
>
>   let referrerURL be the URL of environment
>
> What is that URL? The JavaScript spec doesn't mention anything about
> global environment records having URLs.

Yes, this was sloppy. I've pushed
https://github.com/w3c/webappsec/commit/765321dbf1bcc5adfc5d3e517fa64628719faa6c
in the hopes of cleaning it up. Does the new
https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer
make more sense?

> In fact I'm rather confused about why we're doing anything with JavaScript
> global environment records here.

The goal was to cover requests both from documents and workers (Service
Workers in particular). I was looking around for a better term, and this
seemed like the right concept to grab. See the top of
http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0006.html for
a bit of the discussion.

> Why does Fetch use one as the "client"?
> Lots of user agents don't have any JS implementation at all, but they
> still do fetches and still need referers.

Anne?

> There's also other logic from those steps that seem to be missing entirely
> now. For example, where are about:blank and data:* URLs dropped?

'about:', 'data:', and other non-relative schemes are dropped in step 1 of
"6.3 Strip url for use as a referrer", which steps 5 and 6 of the
"determine" algorithm invoke.

> Where is the logic that drops Referers entirely when the origin is a
> unique tuple?

Hrm. I didn't realize this was a requirement. Chrome doesn't adhere to this
rule, but Firefox does. Filed https://crbug.com/397011 and added
https://github.com/w3c/webappsec/commit/51bc0fb4213621ece844c9f7d67eb87b24d44786
to bring the spec into line.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 24 July 2014 08:28:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC