W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Referrer value for resources fetched from CSS

From: Jochen Eisinger <eisinger@google.com>
Date: Wed, 30 Sep 2015 18:20:59 +0000
Message-ID: <CALjhuif=cihTQ740Eq6EUfr8tBNAUAsxATMpL_7keVhcoc9Whw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>, Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 30, 2015 at 8:05 PM Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 9/30/15 1:56 PM, Jochen Eisinger wrote:
> > An <img> doesn't suddenly load more resources.
>
> First of all, the proposal is that it in fact can for <svg> images.  ;)
>
> But that's not what I was talking about.
>
> Say I have a document with a <meta referrer> policy.  Then that policy
> gets changed.  Then the script on the page does |var i = new Image();
> i.src = something|.  Which referrer is used for this load?  Why should
> this case of a new resource load from the document via script any
> different from a new resource load from the document via suddenly
> matching a CSS rule that didn't use to match?
>

what i'm saying is that at least blink uses the URL at the point the
stylesheet was loaded. So it would be odd to use the referrer policy from
when the font is loaded.

Of course, a possible alternative would be to use the url and policy from
when the font is loaded.

If the CSS spec actually said what referrer to use, it would be easy to
figure out what policy to use.


>
> > Also, the actual referrer url of the CSS doc doesn't change either if
> > you use history.pushState
>
> I'm not sure whether this is a specific comment about pushState or a
> comment about the fact that doing a pushState doesn't reload the CSS, or
> something else...
>
>
what I mean is that when you insert a stylesheet, and then use
history.pushState to modify the document's URL, a subsequent font load will
get the referrer url from when the stylesheet was inserted (in Blink).

I guess the best we can do here (without defining what CSS loads should do)
is saying that for loads of CSS resources, the referrer policy should come
from wherever the referrer came from.



> -Boris
>
>
Received on Wednesday, 30 September 2015 18:21:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC