- From: Sid Stamm <sid@mozilla.com>
- Date: Fri, 24 Apr 2015 09:13:57 -0400
- To: public-webappsec@w3.org
Hi group, The Referrer Policy spec addresses a number of "implicit delivery" situations[0], but I think needs to address another[1]. Consider a link created with a javascript: URI in an anchor: <a href="javascript:document.location='https://thirdparty.com/path/doc'"> When clicked, this navigates the current document to a third party site, and the appropriate referrer policy (for the current document) is applied to the load. For contrast, consider this link: <a href="javascript:document.location='https://thirdparty.com/path/doc'" target="_blank"> When clicked, this should open a new document/window and navigate that window. The referrer is inherited by the new document (as is the rest of the principal) but what happens with the referrer policy? In Firefox, the referrer policy is *not* inherited. Since we create a new document and since the referrer policy is from a meta tag (not from the principal) it is not inherited. In Chrome (correct me if I'm wrong, Google folks), the target is ignored so it behaves like the first example and does not create a new document. The policy covers workers and *nested* contexts, but not new documents or windows. I think the spec needs to be updated to say what to do, whether we decide the new document inherits the policy or not. So what do you think? Copy the referrer policy or not? I'm leaning towards not, since we're creating a new document and the policy, delivered via HTML tag or CSP, is kind of associated with the document (not the principal). -Sid [0] https://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-delivery-implicit [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1156107
Received on Friday, 24 April 2015 13:14:28 UTC