W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Referrer value for resources fetched from CSS

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 30 Sep 2015 15:53:05 -0400
To: Jochen Eisinger <eisinger@google.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <560C3DA1.9070900@mit.edu>
On 9/30/15 2:20 PM, Jochen Eisinger wrote:
> what i'm saying is that at least blink uses the URL at the point the
> stylesheet was loaded. So it would be odd to use the referrer policy
> from when the font is loaded.

No odder than using the referrer policy of the document to start with.

> Of course, a possible alternative would be to use the url and policy
> from when the font is loaded.

You say "the url"... but there are two conceivable sources of referrer 
url: stylesheet and document.

> If the CSS spec actually said what referrer to use, it would be easy to
> figure out what policy to use.

Perhaps.  More precisely, if the CSS spec said which referrer policy to 
use...

> what I mean is that when you insert a stylesheet, and then use
> history.pushState to modify the document's URL, a subsequent font load
> will get the referrer url from when the stylesheet was inserted (in Blink).

Does the font load get the _document_ URL or the _stylesheet_ URL as the 
referrer?

> I guess the best we can do here (without defining what CSS loads should
> do) is saying that for loads of CSS resources, the referrer policy
> should come from wherever the referrer came from.

That's not very helpful, since there is no way to define a referrer 
policy for a stylesheet, right?

-Boris
Received on Wednesday, 30 September 2015 19:53:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC