- From: Franziskus Kiefer <fkiefer@mozilla.com>
- Date: Sun, 14 Jun 2015 20:26:51 -0700
- To: public-webappsec <public-webappsec@w3.org>
- Message-ID: <CADthy-+Wohs4MBX5PF_m1nmsD7N-qn4L2B==Vamvv4zJXXuT_A@mail.gmail.com>
Hi all,
I have two questions regarding the referrer policy.
1) If the referrer policy is specified in HTML, it can be modified from
JavaScript. According to [1] always the latest referrer policy should be
used.
In particular, after doing something like
document.getElementsByName("referrer")[0].setAttribute("content",
"unsafe-url") or
document.getElementsById("important-link").setAttribute("referrer",
"unsafe-url") the full URL should be used when clicking the
"impotant-link". Is this correct? The behaviour of Chrome and Firefox for
example differ here (Chrome allows to update the meta referrer while
Firefox doesn't).
2) A different problem regarding referrer policies is with respect to
request chaching. It essentially boils down to the following question: Are
requests that are identical except for their referrer policy supposed to be
reused or not?
Consider the following scenario:
Assume we have multiple identical images on a website with different
referrer policies. Being strict the image would have to be loaded multiple
times in order to honour the referrer policies. However, this creates
unnecessary traffic and does not increase privacy as the full referrer is
probably sent out for one of the requests anyway. Querying the image only
once on the other hand might lead to displaying a wrong image in case the
response depends on the referrer.
[1]
https://w3c.github.io/webappsec/specs/referrer-policy/#set-referrer-policy
Cheers,
Franziskus
Received on Monday, 15 June 2015 09:06:54 UTC