W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Referrer value for resources fetched from CSS

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 30 Sep 2015 14:04:59 -0400
To: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <560C244B.8050307@mit.edu>
On 9/30/15 1:56 PM, Jochen Eisinger wrote:
> An <img> doesn't suddenly load more resources.

First of all, the proposal is that it in fact can for <svg> images.  ;)

But that's not what I was talking about.

Say I have a document with a <meta referrer> policy.  Then that policy 
gets changed.  Then the script on the page does |var i = new Image(); 
i.src = something|.  Which referrer is used for this load?  Why should 
this case of a new resource load from the document via script any 
different from a new resource load from the document via suddenly 
matching a CSS rule that didn't use to match?

> Also, the actual referrer url of the CSS doc doesn't change either if
> you use history.pushState

I'm not sure whether this is a specific comment about pushState or a 
comment about the fact that doing a pushState doesn't reload the CSS, or 
something else...

-Boris
Received on Wednesday, 30 September 2015 18:05:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC