Comments (22)
I recommend reporting that to the browser where it fails. It should work for all HTML link types.
from webappsec-referrer-policy.
That seems reasonable to me, what do you think @jeisinger?
from webappsec-referrer-policy.
Similarly, is there a reason why its not available on <script>
? (I don't see why a CDN hosting JS should necessarily see the referer, even if some might want at least the origin for analytics)
from webappsec-referrer-policy.
The intent of the referrerPolicy attribute is to allow for setting a different policy for outgoing navigations.
If you need a finer control over the referrer for sub resources, please use a service worker and modify the referrer via the fetch API.
from webappsec-referrer-policy.
The intent of the referrerPolicy attribute is to allow for setting a different policy for outgoing navigations.
I thought ads were also a use case y'all wanted to support, hence <img referrerpolicy=whatever>
inside a page that set a policy of none
. It doesn't seem like you lose much by widening that implementation to other types of requests, given that it's already being piped through for images.
from webappsec-referrer-policy.
Dunno, I don't really like the idea of adding this to every element that can load something from the network :-/
from webappsec-referrer-policy.
Does the delivery by CSP apply to just a, area, img or iframe elements?
from webappsec-referrer-policy.
Delivery via CSP was removed from the spec, and replaced by a dedicated header. That header applies to everything.
from webappsec-referrer-policy.
Dominic came and explained to me the use case for prefetch / prerender. I can see how that's more like an outgoing navigation, and won't be covered by my service worker proposal.
I guess even if we didn't want to add the attribute to all resources, we could still spec it for prefetch/prerender.
from webappsec-referrer-policy.
Just to be clear, we already allow it for resources other than navigation. <img>
was pointed out, fetch()
is another one. I think it would make sense to support it for other elements too, ever since rel=noreferrer
existed folks have been asking for that. Why don't you like that idea?
from webappsec-referrer-policy.
Mainly that it blows up the spec so much.
from webappsec-referrer-policy.
Maybe now is the time then to move the attribute definition to HTML. 😛
from webappsec-referrer-policy.
it's not like that would magically spec what CSS does.
And what about meta-refresh and stuff like this?
from webappsec-referrer-policy.
I'm not sure how CSS is related to the HTML attribute. What is the problem with <meta>
?
from webappsec-referrer-policy.
If we want it on all attributes, we'd also have it on <link rel=stylesheet>
, and wouldn't it be odd to just specify what happens for loading stylesheets in some cases, but not all?
Should a <meta http-equiv=...>
that results in a a network load take the referrerPolicy attribute into account? Or just the referrer-policy header? Or both?
Not saying that it's impossible to spec, just that the amount of spec text doesn't reduce by moving it to http.
Which might be a good idea anyways
from webappsec-referrer-policy.
I think that whatever we decide here, CSS will eventually have to grow a mechanism to set things integrity. That could be reused for referrer policies.
I do agree that we should not just sprinkle the referrerpolicy
around, and it probably should not end up on <meta>
, but there are a couple of places where adding it makes sense.
The main thing I meant with moving the attribute definition into HTML was that a) it would shrink your specification, b) @mikewest already moved some other attributes originally specified by WebAppSec, and c) it's kind of useful if the HTML specification has a complete overview of the HTML language.
from webappsec-referrer-policy.
agreed.
from webappsec-referrer-policy.
bump
What are the next steps here? We have an intent to ship in Blink for this.. and I'd love to see prefetch/preload/prerender support this.
from webappsec-referrer-policy.
I think we should add it on link
. For now that probably means patching the Referrer Policy standard to make it so.
from webappsec-referrer-policy.
@igrigorik want to give it a try and send a pull request?
from webappsec-referrer-policy.
@jeisinger apologies about the delay, been away.. Thanks for adding link support! 👍
from webappsec-referrer-policy.
I think that would be nice have listed that the referrerpolicy
only applies to prefetch/preload/prerender.
I'm not an expert, never used those before, I was trying to use it in a <link rel=icon>
... Now I tried to use preload with custom policy before the icon, but didn't work, the request is done twice ignoring the preloaded image.
from webappsec-referrer-policy.
Related Issues (20)
- Typo: space between “non-” and “potentially trustworthy” HOT 1
- Should request's referrer uses browsing context container’s node document url in Blob url
- What default policy should new features use? HOT 3
- Inconsistencies with "same-origin" requests HOT 23
- same-origin request definition around A->B->A redirects HOT 2
- Clarify priority on five ways of Referrer Policy Delivery HOT 2
- Drop mentions of HTML5 HOT 1
- [proposal] no-referrer-when-crossorigin HOT 7
- Parameterised Referrer Policy HOT 2
- Strip url check for null url appears redundant HOT 2
- Ability to prevent tabnabbing with the referrer-policy header HOT 3
- Possible Version 2 HOT 2
- "Strip url for use as a referrer" sets path to null, which is a spec type error HOT 1
- Bikeshed (remote) returns an error on main branch HOT 1
- Omit referrers on cross-origin requests from an RFC7686 address HOT 4
- Question in relation to Referrer-Policy header and its relation with link rel attribute HOT 4
- Add referrerpolicy to media elements (<audio> and <video>) HOT 6
- Broken references in Referrer Policy
- Add Referrer-Policy no-referrer-when-cross-origin HOT 7
- Add Referrer-Policy to HTTP Field Name Registry
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-referrer-policy.