- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 30 Sep 2015 15:53:05 -0400
- To: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>
- Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9/30/15 2:20 PM, Jochen Eisinger wrote: > what i'm saying is that at least blink uses the URL at the point the > stylesheet was loaded. So it would be odd to use the referrer policy > from when the font is loaded. No odder than using the referrer policy of the document to start with. > Of course, a possible alternative would be to use the url and policy > from when the font is loaded. You say "the url"... but there are two conceivable sources of referrer url: stylesheet and document. > If the CSS spec actually said what referrer to use, it would be easy to > figure out what policy to use. Perhaps. More precisely, if the CSS spec said which referrer policy to use... > what I mean is that when you insert a stylesheet, and then use > history.pushState to modify the document's URL, a subsequent font load > will get the referrer url from when the stylesheet was inserted (in Blink). Does the font load get the _document_ URL or the _stylesheet_ URL as the referrer? > I guess the best we can do here (without defining what CSS loads should > do) is saying that for loads of CSS resources, the referrer policy > should come from wherever the referrer came from. That's not very helpful, since there is no way to define a referrer policy for a stylesheet, right? -Boris
Received on Wednesday, 30 September 2015 19:53:40 UTC