Re: Referrer value for resources fetched from CSS

Chrome uses the CSS file as referrer since quite a while. I agree that the
spec should reflect that.

On Tue, Sep 8, 2015 at 1:19 PM Mike West <mkwst@google.com> wrote:

> +jochen, bz
>
> I remember talking with Boris about this, but I can't find the thread at
> the moment. My vague recollection was that Chrome used the URL of the
> document that loaded the CSS file, and Firefox used the CSS file. It sounds
> like that might have changed in the relatively recent past.
>
> If that's the case, we should update the spec. And by "we", I mean Jochen.
> :)
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Tue, Sep 8, 2015 at 1:01 PM, Yoav Weiss <yoav@yoav.ws> wrote:
>
>> Hi,
>>
>> When going through the definitions and values of the Referer header in
>> the referrer policy
>> <https://w3c.github.io/webappsec/specs/referrer-policy/> spec, I see
>> that the "No referrer when downgrade" policy (which is the default) is
>> defined as "sends a full URL", but it's not clear to me what that URL
>> should be. My default assumption would be that it is the URL of the
>> settings object/main document.
>>
>> However, when looking at font resources fetched cross-origin that were
>> defined by an external stylesheet, I see that the "referer" value is that
>> of the stylesheet, rather than that of the main document, in both Firefox
>> and Chrome.
>>
>> So, I guess my questions are:
>> * Are I missing something regarding the definitions? Is an external
>> stylesheet defined as a settings object of its own?
>> * When the referrer policy is defined as "origin", what should the
>> referer on such a font resource be?
>>
>> Cheers :)
>> Yoav
>>
>>
>