Referrer #80
Comments
|
http://krijnhoetmer.nl/irc-logs/whatwg/20150715#l-431 makes this more or less resolved. |
|
I'd be open to some other mechanism to allow certain page transitions to have a different policy than the document-level policy. Last I checked Chrome allows changing the document's meta referrer value via JS which works too, I suppose. |
|
the conclusion was to add an attribute like referrerPolicy (not referrer, as that's already the referrer itself in fetch), and have it reflect valid values. |
|
Gecko implementation bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1184549 |
|
Blink implementation bug: https://code.google.com/p/chromium/issues/detail?id=514092 |
Is that correct? |
|
Yeah. A request's referrer policy takes precedence over a request's client's referrer policy. |
|
The details of that need to be defined in the Referrer Policy Standard, though. |
|
Thank you! |
|
@annevk, @mikewest, @jeisinger, can you tell me how stable this feature is? |
|
My main worry would be that it has not received much scrutiny. Usually folks notice at least a few mistakes. So I'm not sure many have studied and approved the feature. |
|
Thanks, then I'll wait for a while. |
This CL enables fetch() users to set referrer property of a Request. Instead of sending the "default" referrer, a user can control request's referrer by specifying RequestInit.referrer. Additionally, as an intercepted request in ServiceWorker already has a request referrer, the referrer will be used when issuing fetch with the request. Reflecting the original referrer policy on a ServiceWorker request is disabled by this change: this CL makes all fetch Requests have the default referrer policy. Spec discussion: whatwg/fetch#80 Intent to Implement and Ship: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/m-gMobqmNfk BUG=514092 Review URL: https://codereview.chromium.org/1291073004 git-svn-id: svn://svn.chromium.org/blink/trunk@202257 bbb929c8-8fbe-4397-9dbb-9b2b20218538
This is my current thinking with regards to integrating referrer support into Fetch (and the
fetch()API).Referrer should be copied from an existing
Requestobject. However, it should be reset if any modifications are made to thatRequestobject. This addresses the pass-through scenario for service workers and in particular the CORS CSS case (where the referrer is not same-origin). See also w3c/webappsec#413Referrer should be allowed to be set to any same-origin URL (already possible through
pushState()and other tricks).Referrer should be allowed to be omitted.
Referrer will of course always be subject to the referrer policy of request's client.
In order to support the proposed
referrer=""attribute there would also have to be a request's referrer policy (withreferrer=""mapping to that rather than request's referrer). It's unclear at the moment what wins between a request's referrer policy and a request's client's referrer policy, though @sc0ttbeardsley from Yahoo! has expressed a preference for letting request's referrer policy win which seems to violate the spirit of CSP... See also w3c/webappsec#409@jeisinger and @mikewest, any chance we can resolve this quickly?
The text was updated successfully, but these errors were encountered: