[whatwg] Feedback on Meta referrer from David Bruant on 2011-12-31 (public-whatwg-archive@w3.org from December 2011)

From: David Bruant <bruant.d@gmail.com>
Date: Sat, 31 Dec 2011 18:44:21 +0100
Message-ID: <4EFF49F5.9090208@gmail.com>
Hi,

My feedback regards the current version of the wiki page [1].

I'm curious about why a Referer header is always sent. Specifically for
"never", an empty string is sent. Why not just not send the header at
all? That's what is specified for @rel=noreferrer [2] for instance:
"If a user agent follows a link defined by an a or area element that has
the noreferrer keyword, the user agent must not include a Referer (sic)
HTTP header (or equivalent for other protocols) in the request."
It is not said that the empty string is sent, but that the user agent
must not include a Referer header at all.
Moreover, I don't really know what a server would do more with an empty
Referer header as opposed to no header at all, so I don't see a use for
an empty referer.


Another concern is what should happen if a request is sent before
finding a meta referrer. For instance:
<head>
    <link rel="stylesheet" href="a.css">
    <meta name="referrer" content="never">
</head>
In what conditions should the request for the css file be done? Ignore
the meta tag? Wait until the end of <head> in case there would be a meta
element?


"TODO: This algorithm causes the most recently added meta element to
control the referrer-policy. Should we support changing the policy by
setting the content attribute? "
=> I think that allowing to change the policy by setting the content
attribute would be a good idea, but a question can arise regarding what
happens if there are several such <meta> elements in the document.


"How does this interact with rel=noreferrer? Presumably rel=noreferrer
should override whatever global setting the user agent gets from the
meta element. "
=> I agree that the specific should override the global.


Also, it seems to me that 2 different concerns are implicitely
addressed: "when should the referer header be sent?" and "what should be
sent in the referer header?" It could make sense to split up the
proposal in 2 keywords.
One controling when the header is sent:
* never
* same origin (send the referer header if the target URL and document
URLs have the same origin)
* defaut (secure referer & not secure fetched)
* always
* (...)
another controling what is sent:
* empty string (if there is really a use case for this)
* origin-only
* fragmentless URL
* (...)

Current policies can be expressed as the combinaisons of the above:
* "never" => default + empty string
* "default" => default + fragmentless URL
* "origin" => default + origin-only
* "always" => always + fragmentless URL

David

[1] http://wiki.whatwg.org/index.php?title=Meta_referrer&oldid=7711
[2]
http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer
Received on Saturday, 31 December 2011 09:44:21 UTC