W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Standardize referrer policy

From: Mike West <mkwst@google.com>
Date: Thu, 12 Jun 2014 13:59:53 +0200
Message-ID: <CAKXHy=fjDm7JQ8m0RspU6-u=osk+azJ=hC-VR7eUayVZRbabhg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jochen Eisinger <eisinger@google.com>, Ian Hickson <ian@hixie.ch>, WebAppSec WG <public-webappsec@w3.org>, Sid Stamm <sid@mozilla.com>, Adam Barth <abarth@google.com>
Thanks Anne!

On Thu, Jun 12, 2014 at 11:51 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Wed, Jun 11, 2014 at 7:55 PM, Jochen Eisinger <eisinger@google.com>
> wrote:
> > With a lot of help from Mike, we've put together a first draft here:
> > https://w3c.github.io/webappsec/specs/referrer-policy/
>
> I think what would be best for Fetch integration is me handing you a
> request and you returning a URL or <i title>none</i>. I tentatively
> called this hook "determine referrer". That way Fetch can decide when
> it wants to expose this information as a header. And that way this is
> also a side-effect free invocation which seems preferable.
>
> See http://fetch.spec.whatwg.org/#concept-fetch for the tentative
> hook. Search for [REFERRER].
>

Makes sense. I've updated the hook accordingly:
http://w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer.
Does that make sense?

As for the specifics of what Referrer Policy should do I copied Ian as
> HTML currently has a rather evolved set of steps:
>
> http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#fetch
> We should take those over somehow or Ian needs to do some handling
> before invoking the Fetch Standard. I don't really have a real
> preference there.
>

Yes, thanks! That had (at least?) two pieces that we'd forgotten to add to
the spec:

1. We shouldn't send referrer information for non-relative schemes (data:,
about:, blob:, etc).
2. srcdoc iframes.

I've now added both to the spec.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 12 June 2014 12:00:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC