- From: John Kemp <john@jkemp.net>
- Date: Wed, 5 Feb 2014 13:48:35 -0500
- To: Jeni Tennison <jeni@jenitennison.com>, "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <E1WB7X6-0007jm-Oe@maggie.w3.org>
I'll just note that the processing is also complicated by the Content Security Policy 1.1 spec (http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#processing-multiple-referrer-policies) Regards, -johnk -----Original Message----- From: "Jeni Tennison" <jeni@jenitennison.com> Sent: 2/5/2014 12:17 PM To: "www-tag@w3.org" <www-tag@w3.org> Subject: Capability URLs & Referer headers Hi, At the F2F there was some discussion, in the context of advice about capability URLs, about when/whether Referer headers were set. Anne said browsers were converging on: http://wiki.whatwg.org/wiki/Meta_referrer which describes methods for controlling what gets sent when. The ‘default’ setting is: "Replace the referrer-header-value with the empty string if the <scheme> component of the referrer-header-value represents a protocol that uses transport-layer security and the <scheme> component of the resource being fetched does not." I read this as saying that if I fetch page A and it has an `https` scheme then it *will* send the Referer header when fetching page B with an `https` scheme (whether or not it’s same origin). It will only not send the Referer header when fetching a page with an `http` scheme. Am I reading that correctly? Is that a correct interpretation of what browsers do by default? Am I correct that the Referer header will therefore be set when requesting things like Google Analytics scripts or jQuery via CDN because pages have to point to HTTPS versions of these scripts from a page served by HTTPS? Thanks, Jeni -- Jeni Tennison http://www.jenitennison.com/
Received on Wednesday, 5 February 2014 18:49:14 UTC