- From: Jochen Eisinger <eisinger@google.com>
- Date: Tue, 29 Sep 2015 06:54:03 +0000
- To: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CALjhuidc0HHwij-LzVtUNOFTvzsmjJoFENunwBjHbWog7kGKkQ@mail.gmail.com>
On Mon, Sep 28, 2015 at 8:03 PM Tanvi Vyas <tanvi@mozilla.com> wrote: > Hi Jochen, > > Have you updated the spec? > Not yet, no. > > In Firefox we have a concept of a "triggering principal" and a "loading > principal"[1]. The triggering principal is like the referrer and points to > the context that triggered the load. While the "loading principal" should > be the principal for the context in which the resource is loaded. Does > Chrome have a similar distinction? > No, Chrome doesn't have such a clear distinction. We have a FetchContext which I guess corresponds to the loading principal, but a resource can ignore the referrer and origin from the FetchContext which is what e.g. CSSImageValue does. > > In your font example, the stylesheet was the one who triggered the font > load into the main document. So the stylesheet is the trigger/referrer and > the main document is the loading context. > > Thanks! > > ~Tanvi > > [1] > https://mxr.mozilla.org/mozilla-central/source/netwerk/base/nsILoadInfo.idl#130 > > > On 9/8/15 4:59 AM, Jochen Eisinger wrote: > > Chrome uses the CSS file as referrer since quite a while. I agree that the > spec should reflect that. > > On Tue, Sep 8, 2015 at 1:19 PM Mike West < <mkwst@google.com> > mkwst@google.com> wrote: > >> +jochen, bz >> >> I remember talking with Boris about this, but I can't find the thread at >> the moment. My vague recollection was that Chrome used the URL of the >> document that loaded the CSS file, and Firefox used the CSS file. It sounds >> like that might have changed in the relatively recent past. >> >> If that's the case, we should update the spec. And by "we", I mean >> Jochen. :) >> >> -mike >> >> -- >> Mike West <mkwst@google.com>, @mikewest >> >> Google Germany GmbH, Dienerstrasse 12, 80331 München, >> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der >> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth >> Flores >> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >> >> On Tue, Sep 8, 2015 at 1:01 PM, Yoav Weiss <yoav@yoav.ws> wrote: >> >>> Hi, >>> >>> When going through the definitions and values of the Referer header in >>> the referrer policy >>> <https://w3c.github.io/webappsec/specs/referrer-policy/> spec, I see >>> that the "No referrer when downgrade" policy (which is the default) is >>> defined as "sends a full URL", but it's not clear to me what that URL >>> should be. My default assumption would be that it is the URL of the >>> settings object/main document. >>> >>> However, when looking at font resources fetched cross-origin that were >>> defined by an external stylesheet, I see that the "referer" value is that >>> of the stylesheet, rather than that of the main document, in both Firefox >>> and Chrome. >>> >>> So, I guess my questions are: >>> * Are I missing something regarding the definitions? Is an external >>> stylesheet defined as a settings object of its own? >>> * When the referrer policy is defined as "origin", what should the >>> referer on such a font resource be? >>> >>> Cheers :) >>> Yoav >>> >>> >> >
Received on Tuesday, 29 September 2015 06:54:44 UTC