Re: [REFERRER] Where does "Determine request’s Referrer" get its URL from?

On Wed, Jul 23, 2014 at 10:14 PM, Ian Hickson <ian@hixie.ch> wrote:
>
> In "6.2 Determine request’s Referrer.", the algorithm carefully navigates
> itself to a JavaScript global environment record, and then says:
>
>   let referrerURL be the URL of environment
>
> What is that URL? The JavaScript spec doesn't mention anything about
> global environment records having URLs.

Yes, this was sloppy. I've pushed
https://github.com/w3c/webappsec/commit/765321dbf1bcc5adfc5d3e517fa64628719faa6c
in the hopes of cleaning it up. Does the new
https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer
make more sense?

> In fact I'm rather confused about why we're doing anything with JavaScript
> global environment records here.

The goal was to cover requests both from documents and workers (Service
Workers in particular). I was looking around for a better term, and this
seemed like the right concept to grab. See the top of
http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0006.html for
a bit of the discussion.

> Why does Fetch use one as the "client"?
> Lots of user agents don't have any JS implementation at all, but they
> still do fetches and still need referers.

Anne?

> There's also other logic from those steps that seem to be missing entirely
> now. For example, where are about:blank and data:* URLs dropped?

'about:', 'data:', and other non-relative schemes are dropped in step 1 of
"6.3 Strip url for use as a referrer", which steps 5 and 6 of the
"determine" algorithm invoke.

> Where is the logic that drops Referers entirely when the origin is a
> unique tuple?

Hrm. I didn't realize this was a requirement. Chrome doesn't adhere to this
rule, but Firefox does. Filed https://crbug.com/397011 and added
https://github.com/w3c/webappsec/commit/51bc0fb4213621ece844c9f7d67eb87b24d44786
to bring the spec into line.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 24 July 2014 08:28:43 UTC