W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Referrer value for resources fetched from CSS

From: Jochen Eisinger <eisinger@google.com>
Date: Tue, 08 Sep 2015 11:59:46 +0000
Message-ID: <CALjhuifmqO442SZymimNkfGfwbGwTpUTdo=9yH_rooBr2Kd42g@mail.gmail.com>
To: Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Chrome uses the CSS file as referrer since quite a while. I agree that the
spec should reflect that.

On Tue, Sep 8, 2015 at 1:19 PM Mike West <mkwst@google.com> wrote:

> +jochen, bz
>
> I remember talking with Boris about this, but I can't find the thread at
> the moment. My vague recollection was that Chrome used the URL of the
> document that loaded the CSS file, and Firefox used the CSS file. It sounds
> like that might have changed in the relatively recent past.
>
> If that's the case, we should update the spec. And by "we", I mean Jochen.
> :)
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Tue, Sep 8, 2015 at 1:01 PM, Yoav Weiss <yoav@yoav.ws> wrote:
>
>> Hi,
>>
>> When going through the definitions and values of the Referer header in
>> the referrer policy
>> <https://w3c.github.io/webappsec/specs/referrer-policy/> spec, I see
>> that the "No referrer when downgrade" policy (which is the default) is
>> defined as "sends a full URL", but it's not clear to me what that URL
>> should be. My default assumption would be that it is the URL of the
>> settings object/main document.
>>
>> However, when looking at font resources fetched cross-origin that were
>> defined by an external stylesheet, I see that the "referer" value is that
>> of the stylesheet, rather than that of the main document, in both Firefox
>> and Chrome.
>>
>> So, I guess my questions are:
>> * Are I missing something regarding the definitions? Is an external
>> stylesheet defined as a settings object of its own?
>> * When the referrer policy is defined as "origin", what should the
>> referer on such a font resource be?
>>
>> Cheers :)
>> Yoav
>>
>>
>
Received on Tuesday, 8 September 2015 12:00:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC