Comments (11)
What about just making this the last step - any remaining case of declaration block should be an inline style ..
from webappsec-referrer-policy.
What about presentation attributes, which get mapped into CSS styles but are not really associated with either stylesheets or declaration blocks? Or maybe they are; Gecko creates declaration blocks for SVG presentation attributes and SMIL-animated stuff (but not HTML presentation attributes).
from webappsec-referrer-policy.
I created a PR here: #92 - wdyt?
from webappsec-referrer-policy.
actually, not sure why we need to restrict this to inline styles.
In the end, if the request doesn't come from a stylesheet, it comes from some declaration block, and if that block doesn't have an owner node, there's not much we can do.
But if it has one, why not use the referrer information from that node?
from webappsec-referrer-policy.
In the end, if the request doesn't come from a stylesheet, it comes from some declaration block
This is not necessarily true. See above about presentation attributes...
from webappsec-referrer-policy.
if I'm reading the spec correctly, e.g., https://html.spec.whatwg.org/#the-page:attr-background says that the corresponding style property should be set, which would put it into an declaration block, no?
What about just adding a forth case: Otherwise: set the referrer policy to "never"
from webappsec-referrer-policy.
says that the corresponding style property should be set
It's used as a specified value in the cascade, is what it says.
which would put it into an declaration block
No, because a declaration block is a CSSOM concept. There is no declaration block associated with mapped attributes, necessarily. One could implement them in terms of one internally, of course, but nothing anywhere requires that.
The right way to solve this, in general, is for CSS to actually define a processing model for URIs that captures the right referrer information. That is, any specified url() value would include not just the URL string but also the relevant referrer and referrer policy. That's what UAs have to do in practice to implement this, no?
If the CSS working group is not cooperating in doing this, then you probably need to explicitly define how this works for the various sources of specified value information. Those include stylesheets, inline styles, and presentation attributes. I think that's it (in the sense that the various SVG/SMIL stuff comes down to being presentation attributes and I'm pretty sure the SMIL source and target have to have the same referrer and referrer policy so you don't have to worry about them being mismatched... I think).
from webappsec-referrer-policy.
I don't think having url() specify the referrer is desirable.
Since we're already in the business of defining CSS for CSS, I could just require that every CSS declaration used in HTML & SVG that is not part of a stylesheet is part of a CSS declaration block that in turn has an owner node
from webappsec-referrer-policy.
I don't think having url() specify the referrer is desirable.
I'm not saying that there would be a refferrer string in the url() syntactic construct.
I'm saying that the url() syntactic construct would lead to the creation of a thing that, in addition to the url string, contains the information needed to load it properly (i.e. referrer and referrer policy, or something they can be gotten from).
I could just require that every CSS declaration used in HTML & SVG that is not part of a stylesheet
Mapped attributes don't necessarily correspond to declarations either. They really do just correspond to a specified value.
Have you talked to the CSSWG about this stuff?
from webappsec-referrer-policy.
I did (last time at TPAC) but without success :/
Let me try to ask them more specific questions
from webappsec-referrer-policy.
@jeisinger let me state here what I suggested on IRC. File an issue at https://github.com/w3c/csswg-drafts/issues/new and link it with this one. Then, if we don't hear back, we can start pinging some individuals (or we can do that right away).
from webappsec-referrer-policy.
Related Issues (20)
- Typo: space between “non-” and “potentially trustworthy” HOT 1
- Should request's referrer uses browsing context container’s node document url in Blob url
- What default policy should new features use? HOT 3
- Inconsistencies with "same-origin" requests HOT 23
- same-origin request definition around A->B->A redirects HOT 2
- Clarify priority on five ways of Referrer Policy Delivery HOT 2
- Drop mentions of HTML5 HOT 1
- [proposal] no-referrer-when-crossorigin HOT 7
- Parameterised Referrer Policy HOT 2
- Strip url check for null url appears redundant HOT 2
- Ability to prevent tabnabbing with the referrer-policy header HOT 3
- Possible Version 2 HOT 2
- "Strip url for use as a referrer" sets path to null, which is a spec type error HOT 1
- Bikeshed (remote) returns an error on main branch HOT 1
- Omit referrers on cross-origin requests from an RFC7686 address HOT 4
- Question in relation to Referrer-Policy header and its relation with link rel attribute HOT 4
- Add referrerpolicy to media elements (<audio> and <video>) HOT 6
- Broken references in Referrer Policy
- Add Referrer-Policy no-referrer-when-cross-origin HOT 7
- Add Referrer-Policy to HTTP Field Name Registry
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-referrer-policy.