- From: Jochen Eisinger <eisinger@google.com>
- Date: Thu, 24 Jul 2014 16:59:24 +0200
- To: Mike West <mkwst@google.com>
- Cc: Ian Hickson <ian@hixie.ch>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
- Message-ID: <CALjhuicP0s0Mnx2MVNS7wJC9+4RGBhDsTyGu6AWbo8RKK=TBog@mail.gmail.com>
On Thu, Jul 24, 2014 at 10:27 AM, Mike West <mkwst@google.com> wrote: > On Wed, Jul 23, 2014 at 10:14 PM, Ian Hickson <ian@hixie.ch> wrote: > > > > In "6.2 Determine request's Referrer.", the algorithm carefully navigates > > itself to a JavaScript global environment record, and then says: > > > > let referrerURL be the URL of environment > > > > What is that URL? The JavaScript spec doesn't mention anything about > > global environment records having URLs. > > Yes, this was sloppy. I've pushed > https://github.com/w3c/webappsec/commit/765321dbf1bcc5adfc5d3e517fa64628719faa6c > in the hopes of cleaning it up. Does the new > https://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer > make more sense? > > > > In fact I'm rather confused about why we're doing anything with > JavaScript > > global environment records here. > > The goal was to cover requests both from documents and workers (Service > Workers in particular). I was looking around for a better term, and this > seemed like the right concept to grab. See the top of > http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0006.html > for a bit of the discussion. > > > > Why does Fetch use one as the "client"? > > Lots of user agents don't have any JS implementation at all, but they > > still do fetches and still need referers. > > Anne? > > > There's also other logic from those steps that seem to be missing > entirely > > now. For example, where are about:blank and data:* URLs dropped? > > 'about:', 'data:', and other non-relative schemes are dropped in step 1 of > "6.3 Strip url for use as a referrer", which steps 5 and 6 of the > "determine" algorithm invoke. > > > > Where is the logic that drops Referers entirely when the origin is a > > unique tuple? > > Hrm. I didn't realize this was a requirement. Chrome doesn't adhere to > this rule, but Firefox does. Filed https://crbug.com/397011 and added > https://github.com/w3c/webappsec/commit/51bc0fb4213621ece844c9f7d67eb87b24d44786 > to bring the spec into line. > As I noted on the bug, that somewhat conflicts with the fetch steps that say to use the containing document's referrer best -jochen > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Thursday, 24 July 2014 15:00:12 UTC