- From: Franziskus Kiefer <fkiefer@mozilla.com>
- Date: Sun, 14 Jun 2015 20:26:51 -0700
- To: public-webappsec <public-webappsec@w3.org>
- Message-ID: <CADthy-+Wohs4MBX5PF_m1nmsD7N-qn4L2B==Vamvv4zJXXuT_A@mail.gmail.com>
Hi all, I have two questions regarding the referrer policy. 1) If the referrer policy is specified in HTML, it can be modified from JavaScript. According to [1] always the latest referrer policy should be used. In particular, after doing something like document.getElementsByName("referrer")[0].setAttribute("content", "unsafe-url") or document.getElementsById("important-link").setAttribute("referrer", "unsafe-url") the full URL should be used when clicking the "impotant-link". Is this correct? The behaviour of Chrome and Firefox for example differ here (Chrome allows to update the meta referrer while Firefox doesn't). 2) A different problem regarding referrer policies is with respect to request chaching. It essentially boils down to the following question: Are requests that are identical except for their referrer policy supposed to be reused or not? Consider the following scenario: Assume we have multiple identical images on a website with different referrer policies. Being strict the image would have to be loaded multiple times in order to honour the referrer policies. However, this creates unnecessary traffic and does not increase privacy as the full referrer is probably sent out for one of the requests anyway. Querying the image only once on the other hand might lead to displaying a wrong image in case the response depends on the referrer. [1] https://w3c.github.io/webappsec/specs/referrer-policy/#set-referrer-policy Cheers, Franziskus
Received on Monday, 15 June 2015 09:06:54 UTC