W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

[REFERRER] updating referrer policy and request caching

From: Franziskus Kiefer <fkiefer@mozilla.com>
Date: Sun, 14 Jun 2015 20:26:51 -0700
Message-ID: <CADthy-+Wohs4MBX5PF_m1nmsD7N-qn4L2B==Vamvv4zJXXuT_A@mail.gmail.com>
To: public-webappsec <public-webappsec@w3.org>
Hi all,

I have two questions regarding the referrer policy.

1) If the referrer policy is specified in HTML, it can be modified from
JavaScript. According to [1] always the latest referrer policy should be
used.
In particular, after doing something like
document.getElementsByName("referrer")[0].setAttribute("content",
"unsafe-url") or
document.getElementsById("important-link").setAttribute("referrer",
"unsafe-url") the full URL should be used when clicking the
"impotant-link". Is this correct? The behaviour of Chrome and Firefox for
example differ here (Chrome allows to update the meta referrer while
Firefox doesn't).


2) A different problem regarding referrer policies is with respect to
request chaching. It essentially boils down to the following question: Are
requests that are identical except for their referrer policy supposed to be
reused or not?
Consider the following scenario:
Assume we have multiple identical images on a website with different
referrer policies. Being strict the image would have to be loaded multiple
times in order to honour the referrer policies. However, this creates
unnecessary traffic and does not increase privacy as the full referrer is
probably sent out for one of the requests anyway. Querying the image only
once on the other hand might lead to displaying a wrong image in case the
response depends on the referrer.

[1]
https://w3c.github.io/webappsec/specs/referrer-policy/#set-referrer-policy


Cheers,
Franziskus
Received on Monday, 15 June 2015 09:06:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC