W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

[REFERRER] policy inheritance via javascript: URI and new document

From: Sid Stamm <sid@mozilla.com>
Date: Fri, 24 Apr 2015 09:13:57 -0400
Message-ID: <CAP=NJFO1eMSJ-reP3eUnv=Ft0T0dgDtpBsPX7QHf03+-ba77LQ@mail.gmail.com>
To: public-webappsec@w3.org
Hi group,

The Referrer Policy spec addresses a number of "implicit delivery"
situations[0], but I think needs to address another[1].

Consider a link created with a javascript: URI in an anchor:
<a href="javascript:document.location='https://thirdparty.com/path/doc'">

When clicked, this navigates the current document to a third party
site, and the appropriate referrer policy (for the current document)
is applied to the load.

For contrast, consider this link:
<a href="javascript:document.location='https://thirdparty.com/path/doc'"

When clicked, this should open a new document/window and navigate that
window.  The referrer is inherited by the new document (as is the rest
of the principal) but what happens with the referrer policy?

In Firefox, the referrer policy is *not* inherited.  Since we create a
new document and since the referrer policy is from a meta tag (not
from the principal) it is not inherited.

In Chrome (correct me if I'm wrong, Google folks), the target is
ignored so it behaves like the first example and does not create a new

The policy covers workers and *nested* contexts, but not new documents
or windows.  I think the spec needs to be updated to say what to do,
whether we decide the new document inherits the policy or not.

So what do you think?  Copy the referrer policy or not?  I'm leaning
towards not, since we're creating a new document and the policy,
delivered via HTML tag or CSP, is kind of associated with the document
(not the principal).


[0] https://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-delivery-implicit
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1156107
Received on Friday, 24 April 2015 13:14:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC