W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Referrer value for resources fetched from CSS

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Mon, 5 Oct 2015 11:19:34 -0400
To: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <56129506.4060707@mit.edu>
On 10/5/15 10:23 AM, Jochen Eisinger wrote:
> Problem: some network loads include a referrer header, but there is no
> spec that actually details where this header comes from (i.e. does not
> integrate with Fetch currently)
>
> Proposal: for these loads, specify in the referrer spec that if the
> referrer came from a JavaScript global environment, the referrer policy
> of that global environment should be taken into account. Otherwise, the
> default referrer policy should be used.
>
> does that make sense?

Thank you for clarifying the situation.

What you sayd makes sense as a proposal, but it leaves open questions 
about what it means to come "from a JavaScript global environment" (e.g. 
is that true for stylesheets that come from <style> elements?) and it 
seems like it allows various ways of leaking more referrer information 
than pages with a restrictive referrer policy expect.

It seems safer to identify which document the load is associated with 
(if any) and apply that document's referrer policy... Of course that may 
involve changes to the specs that define that the load happens.  :(

-Boris
Received on Monday, 5 October 2015 15:20:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC