W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Referrer value for resources fetched from CSS

From: Jochen Eisinger <eisinger@google.com>
Date: Wed, 30 Sep 2015 15:42:58 +0000
Message-ID: <CALjhuicZtOSMheo3ytHPMhyYa8CkUYrmZTXYhth4Zta8OK9UVA@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>, Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
ok, fair enough.

next question. If a document has a meta referrer tag, then includes a
stylesheet, and then later some script modifies the referrer policy, and
then starts using some font.

Should we use the referrer policy from the beginning or the second one
(chrome uses the one from the beginning)

On Wed, Sep 30, 2015 at 5:36 PM Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 9/30/15 11:33 AM, Jochen Eisinger wrote:
> > so what if one document references a stylesheet that references a font,
> > but the document doesn't use it.
> >
> > now another document (will different referrer policy) references the
> > same stylesheet, and actually uses the font.
> >
> > The referrer is the stylesheet. what should the policy be?
>
> In my opinion, the policy of the second document.  Which should be fine,
> as long as the server properly sends "Vary: referrer" in cases in which
> it actually cares about the referrer (good luck to us with that).
>
> Why does it even matter that another document referenced the "same"
> stylesheet? The two documents have distinct stylesheet objects...
>
> -Boris
>
Received on Wednesday, 30 September 2015 15:43:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC