W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Referrer value for resources fetched from CSS

From: Yoav Weiss <yoav@yoav.ws>
Date: Tue, 8 Sep 2015 13:01:49 +0200
Message-ID: <CACj=BEi8egXphiJzrf-ccY+GiJ27LvK_ACoXPqFyOnegF3+M7g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi,

When going through the definitions and values of the Referer header in
the referrer
policy <https://w3c.github.io/webappsec/specs/referrer-policy/> spec, I see
that the "No referrer when downgrade" policy (which is the default) is
defined as "sends a full URL", but it's not clear to me what that URL
should be. My default assumption would be that it is the URL of the
settings object/main document.

However, when looking at font resources fetched cross-origin that were
defined by an external stylesheet, I see that the "referer" value is that
of the stylesheet, rather than that of the main document, in both Firefox
and Chrome.

So, I guess my questions are:
* Are I missing something regarding the definitions? Is an external
stylesheet defined as a settings object of its own?
* When the referrer policy is defined as "origin", what should the referer
on such a font resource be?

Cheers :)
Yoav
Received on Tuesday, 8 September 2015 11:02:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC