Comments (7)
"API referrer source" is now basically the environment settings object itself rather than a field on it, passed to fetch as request's client. (Or you can set an explicit referrer through request's referrer.)
from webappsec-referrer-policy.
@annevk with that in mind do you have a suggestion for how to fix https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer step 3.3.2? It doesn't seem obvious to me.
from webappsec-referrer-policy.
I think for a worker you'd just inspect the worker itself for the referrer policy. That would be analogous to CSP. What it states now seems wrong, but I might be missing something?
from webappsec-referrer-policy.
I was hoping for some explicit text, or a pull request on top of my #42 :)
from webappsec-referrer-policy.
@domenic did you happen to already have a plan for fixing the "API referrer source" reference in https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer? I wonder if it should be the creation URL of the environment settings object...
from webappsec-referrer-policy.
I don't have a plan; I was hoping @annevk would give more concrete suggestions. But maybe this isn't so bad after all...
I wonder if it should be the creation URL of the environment settings object...
I believe that is correct, for the worker case. For the document case, the current text seems correct, although I'm not sure on the difference between the responsible browsing context's active document, and the responsible document.
The algorithm looks like it could be cleaned up a decent bit. Here is my draft to replace the current step 3:
- If request's referrer is a URL, then let referrerSource be request's referrer.
- Otherwise,
- If environment's global object is a Window object, then
- Let document be the active document of environment's responsible browsing context.
- If document's origin is an opaque origin, return "no-referrer" and abort this algorithm.
- While document is an iframe srcdoc document, let document be document's browsing context's browsing context container's Document.
- Let referrerSource be document's URL.
- Otherwise, let referrerSource be environment's creation URL.
- If environment's global object is a Window object, then
from webappsec-referrer-policy.
In a series of wonderful pull requests (whatwg/html#1641 whatwg/html#1649 whatwg/html#1651) @estark37 finished this off!
from webappsec-referrer-policy.
Related Issues (20)
- Typo: space between “non-” and “potentially trustworthy” HOT 1
- Should request's referrer uses browsing context container’s node document url in Blob url
- What default policy should new features use? HOT 3
- Inconsistencies with "same-origin" requests HOT 23
- same-origin request definition around A->B->A redirects HOT 2
- Clarify priority on five ways of Referrer Policy Delivery HOT 2
- Drop mentions of HTML5 HOT 1
- [proposal] no-referrer-when-crossorigin HOT 7
- Parameterised Referrer Policy HOT 2
- Strip url check for null url appears redundant HOT 2
- Ability to prevent tabnabbing with the referrer-policy header HOT 3
- Possible Version 2 HOT 2
- "Strip url for use as a referrer" sets path to null, which is a spec type error HOT 1
- Bikeshed (remote) returns an error on main branch HOT 1
- Omit referrers on cross-origin requests from an RFC7686 address HOT 4
- Question in relation to Referrer-Policy header and its relation with link rel attribute HOT 4
- Add referrerpolicy to media elements (<audio> and <video>) HOT 6
- Broken references in Referrer Policy
- Add Referrer-Policy no-referrer-when-cross-origin HOT 7
- Add Referrer-Policy to HTTP Field Name Registry
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-referrer-policy.