New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attributionsrc request referrer header behavior #382
Comments
I assume it would make sense to treat it like the request to the ad-server that responds with the attributionsrc, i.e. like other sub-resources on the page. If it was omitted, I assume those who want it would add it in parameter in the attributionsrc URL. |
I think I agree with @bmayd here that it makes sense to treat this like a normal request to the ad server. There is no reason (that I know of) from a privacy POV to avoid the referrer and it seems cleaner to encourage users to embed this information in a structured way vs. an unstructured way by embedding it in the URL. However, I really don't feel too strongly about it, so if there are differing opinions I'm happy to hear them. |
As an additional data point: while <a ping=> doesn't send the referrer (it send no-referrer), navigator.sendBeacon() does include it. There is some context on the rationale for excluding from <a ping=> here: https://lists.w3.org/Archives/Public/public-html/2008Feb/0194.html For the most part, this doesn't seem to be applicable so I would also lean towards explicitly including the referrer for these requests and aligning with sendbeacon(). |
Since discussions are ongoing as to whether to change this behavior, we should ensure that the existing behavior is covered by tests. WICG/attribution-reporting-api#382 Change-Id: I7e5de1d8a01a061785d581379c62f2f2053f9d2b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3621396 Reviewed-by: Nate Chapin <japhet@chromium.org> Reviewed-by: John Delaney <johnidel@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#998823}
This will allow us to inspect the header's actual value once it is changed per WICG/attribution-reporting-api#382. Change-Id: I299255221a50c95871bd16955962be57ddf1276b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3624239 Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Reviewed-by: John Delaney <johnidel@chromium.org> Cr-Commit-Position: refs/heads/main@{#999081}
Talking with @apasel422 offline, we are trying to think through whether these requests need to abide by Referrer Policy. To me, it seems like it should, i.e. an attributionsrc parallel request on an cc @mikewest in case this doesn't sound right. For context, we are designing a system where the browser will issue parallel subresource requests alongside existing request paths. We are trying to figure out how Referrer should work for these new requests. |
If it's a "normal request to the ad server", then it certainly makes sense to respect the referrer policy of the page responsible for the request. By default, that will strip the referrer down to an origin for cross-origin requests, but the page could reasonably choose something more or less restrictive. |
That makes sense, but should these requests also respect the element-level https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html |
Is there a good reason not to? I think the philosophical discussion could go either way as to whether specifying an |
I agree that we should support it. We will have to consider whether to augment the |
Rather than always specify no-referrer. WICG/attribution-reporting-api#382 We will propagate element-specific referrer policies (referrerpolicy attribute on <a> and <img>, rel=noreferrer on <a>) in a followup CL. Bug: 1323272 Change-Id: I527ee7a367ec9f294975cf3e6317b60ce091aff8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3632160 Reviewed-by: John Delaney <johnidel@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/main@{#1001107}
Since discussions are ongoing as to whether to change this behavior, we should ensure that the existing behavior is covered by tests. WICG/attribution-reporting-api#382 Change-Id: I7e5de1d8a01a061785d581379c62f2f2053f9d2b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3621396 Reviewed-by: Nate Chapin <japhet@chromium.org> Reviewed-by: John Delaney <johnidel@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#998823} NOKEYCHECK=True GitOrigin-RevId: e13f0ffea6644b1307c00ed8d46167d19f29da1d
Rather than always specify no-referrer. WICG/attribution-reporting-api#382 We will propagate element-specific referrer policies (referrerpolicy attribute on <a> and <img>, rel=noreferrer on <a>) in a followup CL. Bug: 1323272 Change-Id: I527ee7a367ec9f294975cf3e6317b60ce091aff8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3632160 Reviewed-by: John Delaney <johnidel@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/main@{#1001107} NOKEYCHECK=True GitOrigin-RevId: 83f727f99d017931731c55e4d4767aa45cbec26e
For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf
For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf
For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463164 Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Nan Lin <linnan@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#1294868}
For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463164 Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Nan Lin <linnan@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#1294868}
…ttributionsrc requests, a=testonly Automatic update from web-platform-tests Use resource-level referrer policy for attributionsrc requests For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463164 Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Nan Lin <linnan@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#1294868} -- wpt-commits: c7171d1ffc8e167e649a7b66927528c6521d5bba wpt-pr: 45970
This reverts commit 4c4802b8681c23f09e62c1fb82ed2c00a65d12a6. Reason for revert: Getting approvals on the revert in case launch approvals are not received in time. Original change's description: > Use resource-level referrer policy for attributionsrc requests > > For <img> and <script> the attributionsrc request's referrer policy now > matches the subresource's policy, rather than the document-level > default. > > For <a> and window.open, the attribution src request's referrer policy > now matches that of the navigation, rather than the per-request default. > > WICG/attribution-reporting-api#382 > WICG/attribution-reporting-api#1254 > > Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463164 > Reviewed-by: Dominic Farolino <dom@chromium.org> > Reviewed-by: Nan Lin <linnan@chromium.org> > Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> > Cr-Commit-Position: refs/heads/main@{#1294868} Change-Id: I0b25937972ce74dc7519da5f2a6a2664d7ff6134
…ttributionsrc requests, a=testonly Automatic update from web-platform-tests Use resource-level referrer policy for attributionsrc requests For <img> and <script> the attributionsrc request's referrer policy now matches the subresource's policy, rather than the document-level default. For <a> and window.open, the attribution src request's referrer policy now matches that of the navigation, rather than the per-request default. WICG/attribution-reporting-api#382 WICG/attribution-reporting-api#1254 Change-Id: I763c055aef45fc17d41a3ba29b4f6ebfe24646cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463164 Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Nan Lin <linnan@chromium.org> Commit-Queue: Andrew Paseltiner <apaseltiner@chromium.org> Cr-Commit-Position: refs/heads/main@{#1294868} -- wpt-commits: c7171d1ffc8e167e649a7b66927528c6521d5bba wpt-pr: 45970
EVENT.md currently doesn't document how the browser is issuing attributionsrc requests, and whether these are treated like other subresources on the page, or are treated more similar to which does not include a referrer header: https://html.spec.whatwg.org/multipage/links.html#hyperlink-auditing
The text was updated successfully, but these errors were encountered: