W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Referrer value for resources fetched from CSS

From: Jochen Eisinger <eisinger@google.com>
Date: Wed, 30 Sep 2015 15:33:09 +0000
Message-ID: <CALjhuic0gA_so9HfVqbdR-aqYwBY2YPiX8S77rtjOvzZ7vgQhA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
so what if one document references a stylesheet that references a font, but
the document doesn't use it.

now another document (will different referrer policy) references the same
stylesheet, and actually uses the font.

The referrer is the stylesheet. what should the policy be?

On Wed, Sep 30, 2015 at 5:29 PM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Sep 30, 2015 at 5:21 PM, Jochen Eisinger <eisinger@google.com>
> wrote:
> > Tanvi, what referrer policy does Firefox use for cross origin css docs? I
> > think in Blink, I use the CSS doc as referrer URL, and the referrer
> policy
> > from the document that imported this CSS doc (which actually seems kinda
> > odd).
> >
> > Maybe it was more consistent to use the default referrer policy in that
> > case?
> I think using the referrer policy from the environment settings object
> (from the document that the CSS is associated with, CSS itself doesn't
> have one) is reasonable. CSS could always override this if they wanted
> to at some point by using a referrer policy associated with the
> requests they make.
> --
> https://annevankesteren.nl/
Received on Wednesday, 30 September 2015 15:33:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC