W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [REFERRER] Where does "Determine request's Referrer" get its URL from?

From: Jochen Eisinger <eisinger@google.com>
Date: Thu, 24 Jul 2014 16:59:24 +0200
Message-ID: <CALjhuicP0s0Mnx2MVNS7wJC9+4RGBhDsTyGu6AWbo8RKK=TBog@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Ian Hickson <ian@hixie.ch>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Thu, Jul 24, 2014 at 10:27 AM, Mike West <mkwst@google.com> wrote:

> On Wed, Jul 23, 2014 at 10:14 PM, Ian Hickson <ian@hixie.ch> wrote:
> >
> > In "6.2 Determine request's Referrer.", the algorithm carefully navigates
> > itself to a JavaScript global environment record, and then says:
> >
> >   let referrerURL be the URL of environment
> >
> > What is that URL? The JavaScript spec doesn't mention anything about
> > global environment records having URLs.
>
> Yes, this was sloppy. I've pushed
> https://github.com/w3c/webappsec/commit/765321dbf1bcc5adfc5d3e517fa64628719faa6c
> in the hopes of cleaning it up. Does the new
> https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer
> make more sense?
>
>
> > In fact I'm rather confused about why we're doing anything with
> JavaScript
> > global environment records here.
>
> The goal was to cover requests both from documents and workers (Service
> Workers in particular). I was looking around for a better term, and this
> seemed like the right concept to grab. See the top of
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0006.html
> for a bit of the discussion.
>
>
> > Why does Fetch use one as the "client"?
> > Lots of user agents don't have any JS implementation at all, but they
> > still do fetches and still need referers.
>
> Anne?
>
> > There's also other logic from those steps that seem to be missing
> entirely
> > now. For example, where are about:blank and data:* URLs dropped?
>
> 'about:', 'data:', and other non-relative schemes are dropped in step 1 of
> "6.3 Strip url for use as a referrer", which steps 5 and 6 of the
> "determine" algorithm invoke.
>
>
> > Where is the logic that drops Referers entirely when the origin is a
> > unique tuple?
>
> Hrm. I didn't realize this was a requirement. Chrome doesn't adhere to
> this rule, but Firefox does. Filed https://crbug.com/397011 and added
> https://github.com/w3c/webappsec/commit/51bc0fb4213621ece844c9f7d67eb87b24d44786
> to bring the spec into line.
>

As I noted on the bug, that somewhat conflicts with the fetch steps that
say to use the containing document's referrer

best
-jochen


>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
Received on Thursday, 24 July 2014 15:00:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC