Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upImplement referrer policy delivery via header #11860
Comments
|
This entails checking for the header in |
|
I'd like to try taking this on -- hopefully it's not too unsuitable for a beginner. Here's my understanding so far, to make things extremely concrete:
Sorry for the wall of text! |
|
Looks like you've got a great handle on the work required here! You're welcome to add the header to hyper and use a cargo override to allow you to keep making progress in Servo while the changes aren't merged to hyper's master branch. Creating new headers are often marked as good first issues for new contributors in hyper; there are lots of examples you can crib from there. There is lots of code that already looks at the field, so once you start updating it the tests under |
|
And yes, updating existing callers of the Document constructor is fine. |
|
That's great to hear! Thanks a lot :) |
|
A question: if the |
|
You're right, there doesn't seem to be a reason to store an Option value. |
|
Actually, looking into it a bit more, there definitely is stuff in the spec addressing this issue of the default value. According to sections 3.2 and 7.3, the default should be In this context the Option does seem useful in order to distinguish the case of no referrer policy being specified at all ( |
|
Yep, it's an option to distinguish between an unset referrer policy (None), and one that has been explicitly set via meta elements or headers or otherwise. The default should be None in the long run (which is translated to no ref when downgrade in the determine_request_referrer method). It is set to Some(no-referrer) in the short term because we have only semi-implemented referrer policy delivery (this is what the TODOs in the Document code are for). Basically it's safer - if a document should have a more strict referrer policy (like no-referrer), but that was communicated in the header, we wouldn't have picked it up since we only implemented meta, and as a result would be sending info inappropriately...better to not send than send too much. Once the other delivery methods were implemented (read: once the issues you are working on were implemented), the plan was to make the default None as it should be. Long story short, feel free to change to None when you deem appropriate, and at that point you can also un-ignore the unset-referrer-policy tests, which are currently not being run for this reason. Let me know if this clears it up :) |
|
@rebstar6 OK, that makes sense, thank you :) I wouldn't have thought we needed to be so conservative on that front but why not. |
Implement referrer policy delivery by header Adds a new `Option<ReferrerPolicy>` field to Document and sets it appropriately in `ScriptThread::load` if a Referrer-Policy header is present. r? @jdm <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #11860 - [X] There are tests for these changes <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/12441) <!-- Reviewable:end -->
See https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header for details.
Reference #10311 for servo referrer policy implementation thus far; tests generated in web-platform-tests/wpt#3118.