[REFERRER] policy inheritance via javascript: URI and new document

Hi group,

The Referrer Policy spec addresses a number of "implicit delivery"
situations[0], but I think needs to address another[1].

Consider a link created with a javascript: URI in an anchor:
<a href="javascript:document.location='https://thirdparty.com/path/doc'">

When clicked, this navigates the current document to a third party
site, and the appropriate referrer policy (for the current document)
is applied to the load.

For contrast, consider this link:
<a href="javascript:document.location='https://thirdparty.com/path/doc'"
target="_blank">

When clicked, this should open a new document/window and navigate that
window.  The referrer is inherited by the new document (as is the rest
of the principal) but what happens with the referrer policy?

In Firefox, the referrer policy is *not* inherited.  Since we create a
new document and since the referrer policy is from a meta tag (not
from the principal) it is not inherited.

In Chrome (correct me if I'm wrong, Google folks), the target is
ignored so it behaves like the first example and does not create a new
document.

The policy covers workers and *nested* contexts, but not new documents
or windows.  I think the spec needs to be updated to say what to do,
whether we decide the new document inherits the policy or not.

So what do you think?  Copy the referrer policy or not?  I'm leaning
towards not, since we're creating a new document and the policy,
delivered via HTML tag or CSP, is kind of associated with the document
(not the principal).

-Sid

[0] https://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-delivery-implicit
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1156107

Received on Friday, 24 April 2015 13:14:28 UTC