Comments (11)
I think this is desired behavior and was resolved in whatwg/html#1205, is that correct? (@domenic)
from webappsec-referrer-policy.
Right, I think we concluded that, with some of the extra formalization performed in whatwg/html#1205, the behavior described here is the desired one.
from webappsec-referrer-policy.
Why is that the desired behavior? The referrer is dynamically grabbed from the container document, but the referrer policy is snapshotted? Seems to me they should both be snapshots or both be dynamic.
from webappsec-referrer-policy.
Hmm, where is the referrer grabbed dynamically from the container document?
The document's referrer is a string (representing a URL) that can be set when the Document is created.
- https://html.spec.whatwg.org/#initialise-the-document-object set them together (steps 7 and 9)
- https://html.spec.whatwg.org/#creating-a-new-browsing-context set them together (steps 9 and 10)
from webappsec-referrer-policy.
https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer step 3 substep 3 subsubsteps 2 and 3.
from webappsec-referrer-policy.
And note that https://html.spec.whatwg.org/#initialise-the-document-object does not set the referrer for srcdoc documents, because in step 9 the "If resource is a request" precondition is false: a srcdoc has a response but not a request. See https://html.spec.whatwg.org/#process-the-iframe-attributes
So for srcdoc documents the "document's referrer" is never set right now per spec, as far as I can tell. Luckily, https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer never tries to use it for a srcdoc document.
from webappsec-referrer-policy.
I see, you were talking about the referrer/referrer policy at fetching time, not document creation time. So about the referrer of requests initiated inside that document, not about document.referrer
.
After thinking about this a bit more, I appreciate the asymmetry you are referring to. Roughly, when performing a request from "inside" an iframe srcdoc document:
- We determine the referrer by saying "oh, the URL is meaningless (it's about:srcdoc); let's look up to the parent".
- We should determinine the referrer policy by saying "oh, the referrer policy is unset; let's look up to the parent".
https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer step 3 substep 3 subsubsteps 2 and 3.
Hmm. These just seem wrong. For example it doesn't recursively climb. Yes it does, I missed the "while"
I'll send a couple of PRs here to straighten this out.
from webappsec-referrer-policy.
I gave this a shot but without #40 straightened out it's pretty hard.
The essential asymmetry is that referrer is computed "lazily" by using the value "client" by default; then "Determine request's referrer" takes over and gets a chance to climb iframe srcdocs and such. Whereas, referrer policy does not have this model: the request has a referrer policy, and if it's the default of "", then we don't know if that's because the request initiated from an iframe srcdoc document, or because it came from a normal document with no referrer policy set.
I'm not sure how to best to deal with this.
from webappsec-referrer-policy.
Oh, wait. Fetch already does this kind of lazy climbing for us, kind of:
If request's referrer policy is the empty string and request's client is non-null, then set request's referrer policy to request's client's associated referrer policy. [REFERRER]
We just need to make sure that works correctly for iframe srcdoc documents. Got it, HTML PR incoming.
from webappsec-referrer-policy.
So about the referrer of requests initiated inside that document, not about document.referrer
Yes! Sorry for the confusion there.
from webappsec-referrer-policy.
I believe this is fixed by whatwg/html@5d7c532 (@domenic please correct me if Im wrong!)
from webappsec-referrer-policy.
Related Issues (20)
- Typo: space between “non-” and “potentially trustworthy” HOT 1
- Should request's referrer uses browsing context container’s node document url in Blob url
- What default policy should new features use? HOT 3
- Inconsistencies with "same-origin" requests HOT 23
- same-origin request definition around A->B->A redirects HOT 2
- Clarify priority on five ways of Referrer Policy Delivery HOT 2
- Drop mentions of HTML5 HOT 1
- [proposal] no-referrer-when-crossorigin HOT 7
- Parameterised Referrer Policy HOT 2
- Strip url check for null url appears redundant HOT 2
- Ability to prevent tabnabbing with the referrer-policy header HOT 3
- Possible Version 2 HOT 2
- "Strip url for use as a referrer" sets path to null, which is a spec type error HOT 1
- Bikeshed (remote) returns an error on main branch HOT 1
- Omit referrers on cross-origin requests from an RFC7686 address HOT 4
- Question in relation to Referrer-Policy header and its relation with link rel attribute HOT 4
- Add referrerpolicy to media elements (<audio> and <video>) HOT 6
- Broken references in Referrer Policy
- Add Referrer-Policy no-referrer-when-cross-origin HOT 7
- Add Referrer-Policy to HTTP Field Name Registry
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-referrer-policy.