Re: Referrer value for resources fetched from CSS from Tanvi Vyas on 2015-09-28 (public-webappsec@w3.org from September 2015)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Mon, 28 Sep 2015 11:03:17 -0700
To: Jochen Eisinger <eisinger@google.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <560980E5.8030405@mozilla.com>

Hi Jochen,

Have you updated the spec?

In Firefox we have a concept of a "triggering principal" and a "loading 
principal"[1].  The triggering principal is like the referrer and points 
to the context that triggered the load.  While the "loading principal" 
should be the principal for the context in which the resource is 
loaded.  Does Chrome have a similar distinction?

In your font example, the stylesheet was the one who triggered the font 
load into the main document.  So the stylesheet is the trigger/referrer 
and the main document is the loading context.

Thanks!

~Tanvi

[1] 
https://mxr.mozilla.org/mozilla-central/source/netwerk/base/nsILoadInfo.idl#130

On 9/8/15 4:59 AM, Jochen Eisinger wrote:
> Chrome uses the CSS file as referrer since quite a while. I agree that 
> the spec should reflect that.
>
> On Tue, Sep 8, 2015 at 1:19 PM Mike West <mkwst@google.com 
> <mailto:mkwst@google.com>> wrote:
>
>     +jochen, bz
>
>     I remember talking with Boris about this, but I can't find the
>     thread at the moment. My vague recollection was that Chrome used
>     the URL of the document that loaded the CSS file, and Firefox used
>     the CSS file. It sounds like that might have changed in the
>     relatively recent past.
>
>     If that's the case, we should update the spec. And by "we", I mean
>     Jochen. :)
>
>     -mike
>
>     --
>     Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest
>
>     Google Germany GmbH, Dienerstrasse 12, 80331 München,
>     Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>     Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine
>     Elizabeth Flores
>     (Sorry; I'm legally required to add this exciting detail to
>     emails. Bleh.)
>
>     On Tue, Sep 8, 2015 at 1:01 PM, Yoav Weiss <yoav@yoav.ws
>     <mailto:yoav@yoav.ws>> wrote:
>
>         Hi,
>
>         When going through the definitions and values of the Referer
>         header in the referrer policy
>         <https://w3c.github.io/webappsec/specs/referrer-policy/> spec,
>         I see that the "No referrer when downgrade" policy (which is
>         the default) is defined as "sends a full URL", but it's not
>         clear to me what that URL should be. My default assumption
>         would be that it is the URL of the settings object/main document.
>
>         However, when looking at font resources fetched cross-origin
>         that were defined by an external stylesheet, I see that the
>         "referer" value is that of the stylesheet, rather than that of
>         the main document, in both Firefox and Chrome.
>
>         So, I guess my questions are:
>         * Are I missing something regarding the definitions? Is an
>         external stylesheet defined as a settings object of its own?
>         * When the referrer policy is defined as "origin", what should
>         the referer on such a font resource be?
>
>         Cheers :)
>         Yoav
>
>

Received on Monday, 28 September 2015 18:03:53 UTC