- From: Adam Barth <whatwg@adambarth.com>
- Date: Wed, 27 May 2009 22:15:56 -0700
On Wed, May 27, 2009 at 6:54 PM, timeless <timeless at gmail.com> wrote: > On Wed, May 27, 2009 at 9:52 AM, Adam Barth <whatwg at adambarth.com> wrote: >> I've been investigating the following question: >> >> Suppose frame A calls a function defined by frame B, which calls the >> open() method of frame C. ?What URL is sent in the Referer header? >> >> My testing shows the following: >> >> Internet Explorer 8: No Referer sent >> Firefox 3: A's URL >> Safari 3.2: A's URL >> Google Chrome 2: A's URL >> Opera 9.52: C's URL >> >> My reading of the HTML 5 spec (which is somewhat confusing on this >> point) seems to indicate that B's URL will be sent. ?Although I agree >> that B's URL is the "morally" right URL to send, it appears that >> browsers favor A's URL. > > A is the context running scripts, so it is in the driver seat. It > referred you to the url. I think that's an overly simplistic view. Both A and B are involved in referring you to the URL. Most security checks use B because it's lexically in scope. Other APIs, like window.location, also pick up the referrer from B (both in the spec and in implementations). For window.open, the implementations and the spec disagree. Adam
Received on Wednesday, 27 May 2009 22:15:56 UTC