Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upImplement referrer policy delivery via noreferrer link relation #12493
+36,605
−1,390
Conversation
highfive
commented
Jul 18, 2016
|
Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @KiChjang (or someone else) soon. |
highfive
commented
Jul 18, 2016
|
Heads up! This PR modifies the following files:
|
TheKK
force-pushed the
TheKK:referrer_policy_dliver_via_rel
branch
3 times, most recently
from
c379af1
to
930cb0f
|
I don't believe the fallback should occur in that method, since it doesn't match https://w3c.github.io/webappsec-referrer-policy/#determine-policy-for-token . |
TheKK
force-pushed the
TheKK:referrer_policy_dliver_via_rel
branch
from
930cb0f
to
80f9acd
|
Oops. I misunderstand this with the empty string referrer policy. fixed. |
|
|
TheKK
force-pushed the
TheKK:referrer_policy_dliver_via_rel
branch
from
f355721
to
22294db
|
Hmm. Seems like 1a242d8 change the default referrer policy of Document and change part of my test expectations. I understand it's safer to set default as no-referrer for now, but it makes some of my test expectations from pass to failed and vice versa. That's quite subtle since those passed tests are actually wrong. What do you think about this? |
|
I think now that we implement multiple ways of delivering referrer policies (meta, HTTP header, and attributes) we can switch the default to no-referrer-when-downgrade without concern. |
TheKK
force-pushed the
TheKK:referrer_policy_dliver_via_rel
branch
from
f835a06
to
a4234f8
|
r? @jdm |
|
|
TheKK
force-pushed the
TheKK:referrer_policy_dliver_via_rel
branch
from
a4234f8
to
956acf7
|
|
||
| if (referrer_policy) { | ||
| for (var attr in referrer_policy) { | ||
| // TODO crashed when you assigned value to rel attribute |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
TheKK
Jul 29, 2016
Author
Contributor
I found this problem does not exist anymore, so it's fine now.
|
I tried to use reviewable, but either it or Firefox choked. I'll leave a comment when I'm done reviewing the diffs on github. |
| var iframe = appendIframeToBody(url_with_params); | ||
| iframe.addEventListener("load", function listener() { | ||
| if ((iframe.contentWindow !== null) && | ||
| (iframe.contentWindow.location.toString() === url_with_params)) { |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
| var xhr = new XMLHttpRequest(); | ||
| xhr.open('GET', '/_mozilla/mozilla/referrer-policy/generic/subresource/stash.py?id=' + id, false); | ||
| xhr.onreadystatechange = function(e) { | ||
| if (this.readyState == 4 && this.status == 200) { |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
| }; | ||
| xhr.send(); | ||
|
|
||
| clearTimeout(timeout_func); |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
| var xhr = new XMLHttpRequest(); | ||
| xhr.open('GET', '/_mozilla/mozilla/referrer-policy/generic/subresource/stash.py?id=' + id, false); | ||
| xhr.onreadystatechange = function(e) { | ||
| if (this.readyState == 4 && this.status == 200) { |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Added! |
|
@bors-servo: r+ |
|
|
bors-servo
added a commit
that referenced
this pull request
Sep 20, 2016
Implement referrer policy delivery via noreferrer link relation According to https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery, there's `<a>`, `<link>` and `<area>` could apply this delivery method. This PR contains changes for `<a>` and `<link>` **but** not `<area>`, since HTMLAreaElement is barely implemented. We should file another issue for it. --- - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #11862 - [X] There are tests for these changes <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/12493) <!-- Reviewable:end -->
|
|
highfive
commented
Sep 20, 2016
|
|
@bors-servo: retry |
bors-servo
added a commit
that referenced
this pull request
Sep 20, 2016
Implement referrer policy delivery via noreferrer link relation According to https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery, there's `<a>`, `<link>` and `<area>` could apply this delivery method. This PR contains changes for `<a>` and `<link>` **but** not `<area>`, since HTMLAreaElement is barely implemented. We should file another issue for it. --- - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #11862 - [X] There are tests for these changes <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/12493) <!-- Reviewable:end -->
|
|
|
Woooo! Thanks for sticking with this, @TheKK! |
This was referenced Oct 5, 2016
bors-servo
added a commit
that referenced
this pull request
Mar 31, 2017
Fix referrer policy tests for a-tag This RP tries to fix referrer policy test for <a> which was introduced in #12493 (sorry for my silly mistake). But the fact that Servo lakes of some functionalities make these tests a little tricky to do. The desired solution for tests for <a> is to: 1. create a document which is running test harness 2. append an `<iframe>` to its parent document and give it a name 3. append and `<a>` to its parent document and set its `target` as `<iframe>`'s name 4. each referrer policy attribute (eg. HTTP header, <meta>) would contribute to `<a>` directly 5. we call `click()` on `<a>` and when the test was done, we call `postMessage()` inside `<iframe>` to notify its parent document And target feature for `<a>` and cross origin `postMessage()` is still on its way. My solution is: 1. create a document which is running test harness 2. append an `<iframe>` to its parent document 3. append and `<a>` into `<iframe>` 4. we call `click()` on `<a>` and `<iframe>` navigate to `<a>`'s href Current solution does not work for some cases: - HTTP header, it only apply to test harness html document but `<a>` inside `<iframe>` - cross origin detection, we navigate `<iframe>` rather than its parent document, which make test expectation wrong One workaround in my mind is to load our test harness html document **inside** `<iframe>` under sandbox, so the test won't run again and we get `<meta>` and HTTP header as we expect. But this would break some consistency in `common.js` and make thing more complex. --- Sorry for the long description. But I'd like to hear more thought before I actually make things dirty, and find the most proper solution for this. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/13713) <!-- Reviewable:end -->
bors-servo
added a commit
that referenced
this pull request
Mar 31, 2017
Fix referrer policy tests for a-tag This RP tries to fix referrer policy test for <a> which was introduced in #12493 (sorry for my silly mistake). But the fact that Servo lakes of some functionalities make these tests a little tricky to do. The desired solution for tests for <a> is to: 1. create a document which is running test harness 2. append an `<iframe>` to its parent document and give it a name 3. append and `<a>` to its parent document and set its `target` as `<iframe>`'s name 4. each referrer policy attribute (eg. HTTP header, <meta>) would contribute to `<a>` directly 5. we call `click()` on `<a>` and when the test was done, we call `postMessage()` inside `<iframe>` to notify its parent document And target feature for `<a>` and cross origin `postMessage()` is still on its way. My solution is: 1. create a document which is running test harness 2. append an `<iframe>` to its parent document 3. append and `<a>` into `<iframe>` 4. we call `click()` on `<a>` and `<iframe>` navigate to `<a>`'s href Current solution does not work for some cases: - HTTP header, it only apply to test harness html document but `<a>` inside `<iframe>` - cross origin detection, we navigate `<iframe>` rather than its parent document, which make test expectation wrong One workaround in my mind is to load our test harness html document **inside** `<iframe>` under sandbox, so the test won't run again and we get `<meta>` and HTTP header as we expect. But this would break some consistency in `common.js` and make thing more complex. --- Sorry for the long description. But I'd like to hear more thought before I actually make things dirty, and find the most proper solution for this. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/13713) <!-- Reviewable:end -->
bors-servo
added a commit
that referenced
this pull request
Mar 31, 2017
Fix referrer policy tests for a-tag This RP tries to fix referrer policy test for <a> which was introduced in #12493 (sorry for my silly mistake). But the fact that Servo lakes of some functionalities make these tests a little tricky to do. The desired solution for tests for <a> is to: 1. create a document which is running test harness 2. append an `<iframe>` to its parent document and give it a name 3. append and `<a>` to its parent document and set its `target` as `<iframe>`'s name 4. each referrer policy attribute (eg. HTTP header, <meta>) would contribute to `<a>` directly 5. we call `click()` on `<a>` and when the test was done, we call `postMessage()` inside `<iframe>` to notify its parent document And target feature for `<a>` and cross origin `postMessage()` is still on its way. My solution is: 1. create a document which is running test harness 2. append an `<iframe>` to its parent document 3. append and `<a>` into `<iframe>` 4. we call `click()` on `<a>` and `<iframe>` navigate to `<a>`'s href Current solution does not work for some cases: - HTTP header, it only apply to test harness html document but `<a>` inside `<iframe>` - cross origin detection, we navigate `<iframe>` rather than its parent document, which make test expectation wrong One workaround in my mind is to load our test harness html document **inside** `<iframe>` under sandbox, so the test won't run again and we get `<meta>` and HTTP header as we expect. But this would break some consistency in `common.js` and make thing more complex. --- Sorry for the long description. But I'd like to hear more thought before I actually make things dirty, and find the most proper solution for this. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/13713) <!-- Reviewable:end -->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
TheKK commentedJul 18, 2016
•
edited by jdm
According to https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery, there's
<a>,<link>and<area>could apply this delivery method. This PR contains changes for<a>and<link>but not<area>, since HTMLAreaElement is barely implemented.We should file another issue for it.
./mach build -ddoes not report any errors./mach test-tidydoes not report any errorsThis change is