Allow referrerpolicy attribute on <link> about webappsec-referrer-policy HOT 22 CLOSED

I recommend reporting that to the browser where it fails. It should work for all HTML link types.

from webappsec-referrer-policy.

That seems reasonable to me, what do you think @jeisinger?

from webappsec-referrer-policy.

Similarly, is there a reason why its not available on <script>? (I don't see why a CDN hosting JS should necessarily see the referer, even if some might want at least the origin for analytics)

from webappsec-referrer-policy.

The intent of the referrerPolicy attribute is to allow for setting a different policy for outgoing navigations.

If you need a finer control over the referrer for sub resources, please use a service worker and modify the referrer via the fetch API.

from webappsec-referrer-policy.

The intent of the referrerPolicy attribute is to allow for setting a different policy for outgoing navigations.

I thought ads were also a use case y'all wanted to support, hence <img referrerpolicy=whatever> inside a page that set a policy of none. It doesn't seem like you lose much by widening that implementation to other types of requests, given that it's already being piped through for images.

from webappsec-referrer-policy.

Dunno, I don't really like the idea of adding this to every element that can load something from the network :-/

from webappsec-referrer-policy.

Does the delivery by CSP apply to just a, area, img or iframe elements?

from webappsec-referrer-policy.

Delivery via CSP was removed from the spec, and replaced by a dedicated header. That header applies to everything.

from webappsec-referrer-policy.

Dominic came and explained to me the use case for prefetch / prerender. I can see how that's more like an outgoing navigation, and won't be covered by my service worker proposal.

I guess even if we didn't want to add the attribute to all resources, we could still spec it for prefetch/prerender.

from webappsec-referrer-policy.

Just to be clear, we already allow it for resources other than navigation. <img> was pointed out, fetch() is another one. I think it would make sense to support it for other elements too, ever since rel=noreferrer existed folks have been asking for that. Why don't you like that idea?

from webappsec-referrer-policy.

Mainly that it blows up the spec so much.

from webappsec-referrer-policy.

Maybe now is the time then to move the attribute definition to HTML. 😛

from webappsec-referrer-policy.

it's not like that would magically spec what CSS does.

And what about meta-refresh and stuff like this?

from webappsec-referrer-policy.

I'm not sure how CSS is related to the HTML attribute. What is the problem with <meta>?

from webappsec-referrer-policy.

If we want it on all attributes, we'd also have it on <link rel=stylesheet>, and wouldn't it be odd to just specify what happens for loading stylesheets in some cases, but not all?

Should a <meta http-equiv=...> that results in a a network load take the referrerPolicy attribute into account? Or just the referrer-policy header? Or both?

Not saying that it's impossible to spec, just that the amount of spec text doesn't reduce by moving it to http.

Which might be a good idea anyways

from webappsec-referrer-policy.

I think that whatever we decide here, CSS will eventually have to grow a mechanism to set things integrity. That could be reused for referrer policies.

I do agree that we should not just sprinkle the referrerpolicy around, and it probably should not end up on <meta>, but there are a couple of places where adding it makes sense.

The main thing I meant with moving the attribute definition into HTML was that a) it would shrink your specification, b) @mikewest already moved some other attributes originally specified by WebAppSec, and c) it's kind of useful if the HTML specification has a complete overview of the HTML language.

from webappsec-referrer-policy.

agreed.

from webappsec-referrer-policy.

bump

What are the next steps here? We have an intent to ship in Blink for this.. and I'd love to see prefetch/preload/prerender support this.

from webappsec-referrer-policy.

I think we should add it on link. For now that probably means patching the Referrer Policy standard to make it so.

from webappsec-referrer-policy.

@igrigorik want to give it a try and send a pull request?

from webappsec-referrer-policy.

@jeisinger apologies about the delay, been away.. Thanks for adding link support! 👍

from webappsec-referrer-policy.

I think that would be nice have listed that the referrerpolicy only applies to prefetch/preload/prerender.

I'm not an expert, never used those before, I was trying to use it in a <link rel=icon>... Now I tried to use preload with custom policy before the icon, but didn't work, the request is done twice ignoring the preloaded image.

from webappsec-referrer-policy.