- From: Kristijan Burnik <burnik@google.com>
- Date: Tue, 26 May 2015 14:06:15 +0200
- To: public-webappsec@w3.org
- Message-ID: <CANJwyhVp+gR+Bb0t=F2=VQsL0YU7Q4KrL6moTEPkwkWG8FL1RA@mail.gmail.com>
Greetings to all, Currently there is an open PR updating the referrer policy test suite with tests to support asserting 301 redirections : https://github.com/w3c/web-platform-tests/pull/1856 However there is an open question: Should the final destination of a sub-resource get the same referrer as the content (img, link, script) and background requests (XHR, Fetch)? *We have the following scenario:* Referrer Policy: Origin when Cross Origin Protocol transition: http to http A priori sub-resource URL: cross-origin Final destination of resource: same origin as browsing context Redirection: Start with a cross-origin request for a sub resource which redirects back to the same origin of the browsing context. I call it a "swap-origin-redirect". -- What is interesting is that Chrome 42 exhibits the following behavior: *Image:* a.com/index.html ==> b.com/img.py?with_redirect --> a.com/img.py?final_dest final_dest gets the *origin only URL* (http://a.com/) See the test <https://github.com/kristijanburnik/web-platform-tests/blob/9e6d3021dbed5e2ada8d6912c15ec1d5fc42ca73/referrer-policy/origin-when-cross-origin/http-csp/cross-origin/http-http/img-tag/cross-origin.swap-origin-redirect.http.html> for img *Fetch:* a.com/index.html ==> b.com/xhr.py?with_redirect --> a.com/xhr.py?final_dest final_dest gets the *stripped referrer URL* (http://a.com/index.html) See the test <https://github.com/kristijanburnik/web-platform-tests/blob/9e6d3021dbed5e2ada8d6912c15ec1d5fc42ca73/referrer-policy/origin-when-cross-origin/http-csp/cross-origin/http-http/fetch-request/cross-origin.swap-origin-redirect.http.html> for fetch -- This only occurs when *origin-when-cross-origin* referrer policy is applied.. My question is: Should we differentiate between types of resources (content vs bg requests) when we have swap-origin redirects which start of as a cross-origin sub-resource request? Wow, such a mouthful... Drawing diagrams helps... :-) Also, see the tests linked above. Please provide some feedback or suggestions. -- *Kristijan Burnik* Software Engineering Intern burnik@google.com Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Graham Law, Christine Elizabeth Flores Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Received on Tuesday, 26 May 2015 12:08:41 UTC