Comments (12)
it's supposed to say that if you do
var a = document.createElement('a');
a.referrerPolicy = 'origin'; // safe fallback
a.referrerPolicy = 'fancy-new-thing';
and 'fancy-new-thing' isn't implemented, we'll keep using 'origin'
from webappsec-referrer-policy.
Thanks you.
I am more concerned about priority of Referrer Policy delivering in [1](public version)
Questions are
(a) What if the document ships a CSP with a referrer Policy and the worker (called from the document) ships a CSP with a different referrer policy?
(b) Same as (a) but the main document uses but the worker ships with a different referrer policy delivered through CSP. What should be the expected behavior?
(c) What about sub workers? If a main document ships a referrer policy, the workers ships it's own referrer policy through CSP, which one applies to the sub worker? The main document's? The worker's?
[1] https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
These questions are based on public version. I see CSP is not mentioned anymore in newest draft version, but it may have similar priority concern.
Could you please clarify that? Thank you so much
from webappsec-referrer-policy.
(note that delivery via CSP doesn't exist anymore in the latest draft, but it's a dedicated header now)
in a) the CSP of the worker is applied to the worker
I don't get b)
in c) if the sub-worker doesn't have a CSP it would inherit the policy of the worker that spawned it
from webappsec-referrer-policy.
b) is the mostly the same with a)
Yay! Thank so much for your clarification
Please close it
from webappsec-referrer-policy.
This is related to #46.
and 'fancy-new-thing' isn't implemented, we'll keep using 'origin'
This isn't how things are currently specced or implemented. The spec follows the same logic as "CORS setting attributes" and other enumerated attributes (like <input type>
or <track kind>
), where setting to an invalid type falls back to the "invalid value default".
See http://jsbin.com/wehogulohu/edit?html,console,output for a CORS test. https://jsbin.com/tijoxe/edit?html,console,output is a referrer policy test, using the nonstandard chrome referrerpolicy
(all lowercase) property; it shows how it falls back to the ""
property, which makes sense given the Chrome source code:
[Reflect, ReflectOnly=("","no-referrer","origin","no-referrer-when-downgrade","origin-when-cross-origin","unsafe-url"), ReflectMissing="", ReflectInvalid=""] attribute DOMString referrerpolicy;
from webappsec-referrer-policy.
Well, then that's a bug
Domenic Denicola [email protected] schrieb am Fr., 6. Mai 2016,
16:47:
and 'fancy-new-thing' isn't implemented, we'll keep using 'origin'
This isn't how things are currently specced or implemented. The spec
follows the same logic as "CORS setting attributes" and other enumerated
attributes (like or ), where setting to an
invalid type falls back to the "invalid value default".See http://jsbin.com/wehogulohu/edit?html,console,output for a CORS test.
https://jsbin.com/tijoxe/edit?html,console,output is a referrer policy
test, using the nonstandard chrome referrerpolicy (all lowercase)
property; it shows how it falls back to the "" property, which makes
sense given the Chrome source code:[Reflect, ReflectOnly=("","no-referrer","origin","no-referrer-when-downgrade","origin-when-cross-origin","unsafe-url"), ReflectMissing="", ReflectInvalid=""] attribute DOMString referrerpolicy;
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#48 (comment)
from webappsec-referrer-policy.
Hmm. We should figure out how to spec that then. Can you think of any other IDL attribute on the web platform that works that way? Can you figure out a way to reconcile the mismatch between the semantics you want for IDL attributes and the semantics for content attributes, which don't retain a "memory" of their old value?
from webappsec-referrer-policy.
@jeisinger I don't think we need it to work that way; I think it would only be a convenience, because you could always use feature detection:
var a = document.createElement('a');
a.referrerPolicy = 'fancy-new-thing';
if (a.referrerPolicy == "")
a.referrerPolicy = 'origin'; // safe fallback
(Unlike the header, where you can't do feature detection before deciding which value to send in the header.)
from webappsec-referrer-policy.
Fair enough. I think the initial text is from when we didn't have feature
detection and you only could blindly thirties l throw things at the meta tag
Emily Stark [email protected] schrieb am Fr., 6. Mai 2016, 18:47:
@jeisinger https://github.com/jeisinger I don't think we need it to
work that way; I think it would only be a convenience, because you could
always use feature detection:var a = document.createElement('a');
a.referrerPolicy = 'fancy-new-thing';
if (a.referrerPolicy == "")
a.referrerPolicy = 'origin'; // safe fallback(Unlike the header, where you can't do feature detection before deciding
which value to send in the header.)—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#48 (comment)
from webappsec-referrer-policy.
I guess my phone is thirsty or something...
Jochen Eisinger [email protected] schrieb am Fr., 6. Mai 2016, 18:48:
Fair enough. I think the initial text is from when we didn't have feature
detection and you only could blindly thirties l throw things at the meta tagEmily Stark [email protected] schrieb am Fr., 6. Mai 2016, 18:47:
@jeisinger https://github.com/jeisinger I don't think we need it to
work that way; I think it would only be a convenience, because you could
always use feature detection:var a = document.createElement('a');
a.referrerPolicy = 'fancy-new-thing';
if (a.referrerPolicy == "")
a.referrerPolicy = 'origin'; // safe fallback(Unlike the header, where you can't do feature detection before deciding
which value to send in the header.)—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#48 (comment)
from webappsec-referrer-policy.
Hahah that was an excellently nonsensical autocorrect. Anyway yeah I have #46 open to clarify that the fallback behavior applies to the header, not the attribute.
from webappsec-referrer-policy.
Close it, thanks all for helping me
from webappsec-referrer-policy.
Related Issues (20)
- Typo: space between “non-” and “potentially trustworthy” HOT 1
- Should request's referrer uses browsing context container’s node document url in Blob url
- What default policy should new features use? HOT 3
- Inconsistencies with "same-origin" requests HOT 23
- same-origin request definition around A->B->A redirects HOT 2
- Clarify priority on five ways of Referrer Policy Delivery HOT 2
- Drop mentions of HTML5 HOT 1
- [proposal] no-referrer-when-crossorigin HOT 7
- Parameterised Referrer Policy HOT 2
- Strip url check for null url appears redundant HOT 2
- Ability to prevent tabnabbing with the referrer-policy header HOT 3
- Possible Version 2 HOT 2
- "Strip url for use as a referrer" sets path to null, which is a spec type error HOT 1
- Bikeshed (remote) returns an error on main branch HOT 1
- Omit referrers on cross-origin requests from an RFC7686 address HOT 4
- Question in relation to Referrer-Policy header and its relation with link rel attribute HOT 4
- Add referrerpolicy to media elements (<audio> and <video>) HOT 6
- Broken references in Referrer Policy
- Add Referrer-Policy no-referrer-when-cross-origin HOT 7
- Add Referrer-Policy to HTTP Field Name Registry
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-referrer-policy.