W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Referrer value for resources fetched from CSS

From: Jochen Eisinger <eisinger@google.com>
Date: Wed, 07 Oct 2015 14:19:42 +0000
Message-ID: <CALjhuichNSFGdQT8f-e1SOBQHrBtcE125JqdtoUNfvQi8vNUiA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, Boris Zbarsky <bzbarsky@mit.edu>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I compared the implementation in Chrome and Firefox, and they're
different...

I tested two cases:

1) create a stylesheet, update the referrer URL (using the history API),
insert an element that matches a rule which loads an external resource

Here, Chrome and Firefox use the URL from before the history API
modifications.

2) create a stylesheet, update the referrer policy (using a <meta>
element), insert an element that matches a rule which loads an external
resource

Here, Chrome will use the referrer policy from before the meta element was
inserted, but Firefox will use the referrer policy from after.

I think in any case, referrer and referrer policy should behave the same.
Anne raised the point on IRC that it's odd to ignore changes, so I propose
to spec that both the referrer URL as well as the referrer policy from when
the network request is triggered should be used.



On Mon, Oct 5, 2015 at 5:33 PM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Oct 5, 2015 at 5:19 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> > Of course that may involve
> > changes to the specs that define that the load happens.  :(
>
> To be clear, we need those either way. E.g., as long as CSS doesn't
> define how it uses Fetch, it technically doesn't invoke service
> workers, it technically doesn't apply CSP, it technically doesn't
> abide by Mixed Content blocking, it technically doesn't support HSTS,
> ...
>
>
> --
> https://annevankesteren.nl/
>
Received on Wednesday, 7 October 2015 14:20:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC