W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2017

Re: advance Referrer Policy?

From: Mike West <mkwst@google.com>
Date: Wed, 9 Aug 2017 08:53:15 +0200
Message-ID: <CAKXHy=c=ymf3TxWCAfPkG4ojAV6PZPZTFv5vopb+jug+nn2nDA@mail.gmail.com>
To: Angelo Liao <huliao@microsoft.com>, Emily Stark <estark@google.com>, Franziskus Kiefer <fkiefer@mozilla.com>
Cc: Jochen Eisinger <eisinger@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Hrm. I don’t think that removing the expectations for CSS-initiated fetches
is the right solution. We need to describe the way those fetches ought to
work, and AFAIK, Boris and Jochen put a good amount of effort into coming
up with the set of requirements in the document. If the group thinks that
those are the right requirements, I’d prefer to see implementations align
themselves to that agreement rather than throwing it overboard and leaving
the behavior undefined.

Does any vendor object to the requirements set out in
https://w3c.github.io/webappsec-referrer-policy/#integration-with-css? If
not, and it's just a question of resourcing, then one option to advance the
document may be to reformulate them as non-normative suggestions for the
CSS working group if/when they get around to restructuring their specs to
cleanly integrate with Fetch?

Another option would, of course, be to simply wait for another vendor to
implement. Perhaps Mozilla could be encouraged to poke a bit at their
implementation? Looks like 3 of the 7 tests in
https://github.com/w3c/web-platform-tests/tree/master/referrer-policy/css-integration
pass... Just 4 to go! :)

-mike

On Wed 9. Aug 2017 at 00:23, Angelo Liao <huliao@microsoft.com> wrote:

> Edge in the current Windows insider build include most of the policies
> except same-origin, strict-origin, strict-origin-when-cross-origin.
> Supporting the remaining three is in our roadmap. We don’t intend to
> implement the CSS bits anytime soon as well. If possible, can we pull out
> the CSS section from the current CR so that we can transition the spec to
> PR? In the meantime, we can create a Level 2 and keep the CSS section in
> there.
>
>
>
> *From:* Franziskus Kiefer [mailto:fkiefer@mozilla.com]
> *Sent:* Monday, July 24, 2017 1:29 AM
> *To:* Emily Stark <estark@google.com>
> *Cc:* Jochen Eisinger <eisinger@google.com>; Ann Onimos <
> dveditz@mozilla.com>; public-webappsec@w3.org; Mike West <mkwst@google.com
> >
> *Subject:* Re: advance Referrer Policy?
>
>
>
> Firefox doesn't implement the CSS bits yet [1]. I'm not sure if this is
> going to change any time soon.
>
>
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1330487
>
>
>
> On Sat, Jul 22, 2017 at 11:53 AM, Emily Stark <estark@google.com> wrote:
>
> Not sure -- Dan, do you know?
>
>
>
> On Fri, Jul 21, 2017 at 8:55 AM, Jochen Eisinger <eisinger@google.com>
> wrote:
>
> Did Firefox implement the CSS specific bits meanwhile?
>
>
>
> On Fri, Jul 21, 2017 at 8:48 AM Emily Stark <estark@google.com> wrote:
>
> Hi all,
>
>
>
> Chrome's implementation of Referrer Policy includes the three newest
> policy values in M61 (https://www.chromestatus.com/
> feature/5634117806850048). I believe this brings us to two interoperable
> implementations, covered by web-platform-tests
> <https://github.com/w3c/web-platform-tests/tree/master/referrer-policy>.
> I'm told this means it might be time for a CfC to transition to PR.
>
>
>
> Thoughts?
>
>
>
> Thanks,
>
> Emily
>
>
>
>
>
Received on Wednesday, 9 August 2017 06:53:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC