[whatwg] Calcuating Referer for window.open()

On Wed, May 27, 2009 at 6:54 PM, timeless <timeless at gmail.com> wrote:
> On Wed, May 27, 2009 at 9:52 AM, Adam Barth <whatwg at adambarth.com> wrote:
>> I've been investigating the following question:
>>
>> Suppose frame A calls a function defined by frame B, which calls the
>> open() method of frame C. ?What URL is sent in the Referer header?
>>
>> My testing shows the following:
>>
>> Internet Explorer 8: No Referer sent
>> Firefox 3: A's URL
>> Safari 3.2: A's URL
>> Google Chrome 2: A's URL
>> Opera 9.52: C's URL
>>
>> My reading of the HTML 5 spec (which is somewhat confusing on this
>> point) seems to indicate that B's URL will be sent. ?Although I agree
>> that B's URL is the "morally" right URL to send, it appears that
>> browsers favor A's URL.
>
> A is the context running scripts, so it is in the driver seat. It
> referred you to the url.

I think that's an overly simplistic view.  Both A and B are involved
in referring you to the URL.  Most security checks use B because it's
lexically in scope.  Other APIs, like window.location, also pick up
the referrer from B (both in the spec and in implementations).  For
window.open, the implementations and the spec disagree.

Adam

Received on Wednesday, 27 May 2009 22:15:56 UTC