W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Referrer value for resources fetched from CSS

From: Jochen Eisinger <eisinger@google.com>
Date: Mon, 05 Oct 2015 14:34:20 +0000
Message-ID: <CALjhuifSfRFJVvTk=q7HQHA8U3OXYmEXWuzqCnxzp3UE+y2GiQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 5, 2015 at 4:32 PM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Oct 5, 2015 at 4:23 PM, Jochen Eisinger <eisinger@google.com>
> wrote:
> > Problem: some network loads include a referrer header, but there is no
> spec
> > that actually details where this header comes from (i.e. does not
> integrate
> > with Fetch currently)
> >
> > Proposal: for these loads, specify in the referrer spec that if the
> referrer
> > came from a JavaScript global environment, the referrer policy of that
> > global environment should be taken into account. Otherwise, the default
> > referrer policy should be used.
> >
> > does that make sense?
>
> It seems suboptimal. I think it would be better for stylesheets to use
> the referrer policy of their associated document. When you change the
> referrer policy for a given document, e.g., to none, you wouldn't want
> stylesheets to still leak the referrer through image fetches or some
> such.
>
>
that would magically happen if stylesheets used fetch...

>
> --
> https://annevankesteren.nl/
>
Received on Monday, 5 October 2015 14:35:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC