Thanks Anne! On Thu, Jun 12, 2014 at 11:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Jun 11, 2014 at 7:55 PM, Jochen Eisinger <eisinger@google.com> > wrote: > > With a lot of help from Mike, we've put together a first draft here: > > https://w3c.github.io/webappsec/specs/referrer-policy/ > > I think what would be best for Fetch integration is me handing you a > request and you returning a URL or <i title>none</i>. I tentatively > called this hook "determine referrer". That way Fetch can decide when > it wants to expose this information as a header. And that way this is > also a side-effect free invocation which seems preferable. > > See http://fetch.spec.whatwg.org/#concept-fetch for the tentative > hook. Search for [REFERRER]. > Makes sense. I've updated the hook accordingly: http://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer. Does that make sense? As for the specifics of what Referrer Policy should do I copied Ian as > HTML currently has a rather evolved set of steps: > > http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#fetch > We should take those over somehow or Ian needs to do some handling > before invoking the Fetch Standard. I don't really have a real > preference there. > Yes, thanks! That had (at least?) two pieces that we'd forgotten to add to the spec: 1. We shouldn't send referrer information for non-relative schemes (data:, about:, blob:, etc). 2. srcdoc iframes. I've now added both to the spec. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 12 June 2014 12:00:42 UTC