W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Referrer value for resources fetched from CSS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Oct 2015 16:32:56 +0200
Message-ID: <CADnb78gHLpgWGiPk5QnmbOODX1SacXBPsBK5ON+-AgBYsWUqLw@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 5, 2015 at 4:23 PM, Jochen Eisinger <eisinger@google.com> wrote:
> Problem: some network loads include a referrer header, but there is no spec
> that actually details where this header comes from (i.e. does not integrate
> with Fetch currently)
>
> Proposal: for these loads, specify in the referrer spec that if the referrer
> came from a JavaScript global environment, the referrer policy of that
> global environment should be taken into account. Otherwise, the default
> referrer policy should be used.
>
> does that make sense?

It seems suboptimal. I think it would be better for stylesheets to use
the referrer policy of their associated document. When you change the
referrer policy for a given document, e.g., to none, you wouldn't want
stylesheets to still leak the referrer through image fetches or some
such.


-- 
https://annevankesteren.nl/
Received on Monday, 5 October 2015 14:33:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC