Referrer Policy
-Editor’s Draft,
+
Referrer Policy
+Editor’s Draft,
- This version:
- https://w3c.github.io/webappsec-referrer-policy/ -
- Latest version:
+
- Latest published version:
- http://www.w3.org/TR/referrer-policy/
- Version History:
- https://github.com/w3c/webappsec-referrer-policy/commits/master/index.src.html
@@ -1071,6 +265,7 @@
public-webappsec@w3.org with subject line “[REFERRER] … message topic …” (archives)
- Issue Tracking:
- GitHub +
- Inline In Spec
- Editors:
-
-
- referrer policy
+
- referrer policy
-
- A referrer policy modifies the algorithm used to populate the
Refererheader when fetching subresources, + A referrer policy modifies the algorithm used to populate theRefererheader when fetching subresources, prefetching, or performing navigations. This document defines the various - behaviors for each referrer policy. -Every environment settings object has an algorithm for obtaining a referrer policy, which is used by default for all requests with that environment settings object as their request + behaviors for each referrer policy. +
Every environment settings object has an algorithm for obtaining a referrer policy, which is used by default for all requests with that environment settings object as their request client.
- - same-origin request
+
- same-origin request
- A
Requestrequest is a same-origin request if request’soriginand the origin of request’surlarethe same. - - cross-origin request -
- A
Requestis a cross-origin request if it is not same-origin. + - cross-origin request +
- A
Requestis a cross-origin request if it is not same-origin.
3. Referrer Policies
-Each possible referrer policy, besides the empty string, is explained +
Each possible referrer policy, besides the empty string, is explained below. A detailed algorithm for evaluating their effect is given in the §5 Integration with Fetch and §7 Algorithms sections.
Note: The referrer policy for an environment settings object provides a default baseline policy for requests when that environment settings object is used as a request client. This policy may be tightened for specific requests via mechanisms like the
-noreferrerlink type.3.1. "
-no-referrer"The simplest policy is "
no-referrer", which specifies +3.1. "
+no-referrer"The simplest policy is "
-no-referrer", which specifies that no referrer information is to be sent along with requests made from a particular request client to any origin. The header will be omitted entirely.If a document at-https://example.com/page.htmlsets a policy of "no-referrer", then navigations tohttps://example.com/(or any other URL) would send noRefererheader.3.2. "
-no-referrer-when-downgrade"The "
no-referrer-when-downgrade" policy sends a full URL +If a document at+https://example.com/page.htmlsets a policy of "no-referrer", then navigations tohttps://example.com/(or any other URL) would send noRefererheader.3.2. "
+no-referrer-when-downgrade"The "
no-referrer-when-downgrade" policy sends a full URL along with requests from a TLS-protected environment settings object to a a priori authenticated URL, and requests from request clients which are not TLS-protected to any origin.Requests from TLS-protected request clients to non-a @@ -1263,36 +440,36 @@
Referer HTTP header will not be sent.
- If a document athttps://example.com/page.htmlsets a policy of "no-referrer-when-downgrade", then navigations tohttps://not.example.com/would send aRefererHTTP header with a value ofhttps://example.com/page.html, as neither resource’s origin is an + If a document athttps://example.com/page.htmlsets a policy of "no-referrer-when-downgrade", then navigations tohttps://not.example.com/would send aRefererHTTP header with a value ofhttps://example.com/page.html, as neither resource’s origin is an non-a priori authenticated URL.Navigations from that same page to
http://not.example.com/would send noRefererheader.This is a user agent’s default behavior, if no policy is otherwise specified.
-3.3. "
-same-origin"The "
same-origin" policy specifies that a +3.3. "
+same-origin"The "
-same-origin" policy specifies that a full URL, stripped for use as a referrer, is sent as - referrer information when making same-origin requests from a particular request client.Cross-origin requests, on the other hand, will contain no + referrer information when making same-origin requests from a particular request client.
+Cross-origin requests, on the other hand, will contain no referrer information. A
RefererHTTP header will not be sent.- If a document at-https://example.com/page.htmlsets a policy of "same-origin", then navigations tohttps://example.com/not-page.htmlwould send aRefererheader with a value ofhttps://example.com/page.html. + If a document athttps://example.com/page.htmlsets a policy of "same-origin", then navigations tohttps://example.com/not-page.htmlwould send aRefererheader with a value ofhttps://example.com/page.html.Navigations from that same page to
https://not.example.com/would send noRefererheader.3.4. "
-origin"The "
+origin" policy specifies that only the ASCII serialization of the origin of the request client is sent as referrer information - when making both same-origin requests and cross-origin requests from a particular request client.3.4. "
+origin"The "
origin" policy specifies that only the ASCII serialization of the origin of the request client is sent as referrer information + when making both same-origin requests and cross-origin requests from a particular request client.Note: The serialization of an origin looks like
-https://example.com. To ensure that a valid URL is sent in the `Referer` header, user agents will append a U+002F SOLIDUS ("/") character to the origin (e.g.https://example.com/).Note: The "
origin" policy causes the origin of HTTPS +Note: The "
-origin" policy causes the origin of HTTPS referrers to be sent over the network as part of unencrypted HTTP requests. - The "strict-origin" policy addresses this concern.If a document athttps://example.com/page.htmlsets a policy of "origin", then navigations to any origin would send aRefererheader with a value + The "strict-origin" policy addresses this concern. +If a document at-https://example.com/page.htmlsets a policy of "origin", then navigations to any origin would send aRefererheader with a value ofhttps://example.com/, even to URLs that are not a priori authenticated URLs.3.5. "
-strict-origin"The "
+strict-origin" policy sends the ASCII serialization of the origin of the request client when making requests:3.5. "
+strict-origin"The "
strict-origin" policy sends the ASCII serialization of the origin of the request client when making requests:- from a TLS-protected environment settings object to a a priori authenticated URL, and
- from non-TLS-protected environment settings objects to
@@ -1303,31 +480,31 @@
Referer HTTP header will not be sent.
- If a document at-https://example.com/page.htmlsets a policy of "strict-origin", then navigations tohttps://not.example.comwould send aRefererheader with a value ofhttps://example.com/. + If a document athttps://example.com/page.htmlsets a policy of "strict-origin", then navigations tohttps://not.example.comwould send aRefererheader with a value ofhttps://example.com/.Navigations from that same page to
http://not.example.comwould send noRefererheader.If a document at-http://example.com/page.htmlsets a policy of "strict-origin", then navigations tohttp://not.example.comorhttps://example.comwould send aRefererheader with a value ofhttp://example.com/.3.6. "
-origin-when-cross-origin"The "
origin-when-cross-origin" policy specifies that a +If a document at+http://example.com/page.htmlsets a policy of "strict-origin", then navigations tohttp://not.example.comorhttps://example.comwould send aRefererheader with a value ofhttp://example.com/.3.6. "
+origin-when-cross-origin"The "
-origin-when-cross-origin" policy specifies that a full URL, stripped for use as a referrer, is sent as - referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client is sent as referrer information - when making cross-origin requests from a particular request + referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client is sent as referrer information + when making cross-origin requests from a particular request client.Note: For the "
-origin-when-cross-origin" policy, we also - consider protocol upgrades, e.g. requests fromhttp://example.com/tohttps://example.com/, to be cross-origin requests.Note: The "
origin-when-cross-origin" policy causes the +Note: For the "
+origin-when-cross-origin" policy, we also + consider protocol upgrades, e.g. requests fromhttp://example.com/tohttps://example.com/, to be cross-origin requests.Note: The "
origin-when-cross-origin" policy causes the origin of HTTPS referrers to be sent over the network as part of unencrypted - HTTP requests. The "strict-origin-when-cross-origin" policy + HTTP requests. The "strict-origin-when-cross-origin" policy addresses this concern.- If a document at-https://example.com/page.htmlsets a policy of "origin-when-cross-origin", then navigations tohttps://example.com/not-page.htmlwould send aRefererheader with a value ofhttps://example.com/page.html. + If a document athttps://example.com/page.htmlsets a policy of "origin-when-cross-origin", then navigations tohttps://example.com/not-page.htmlwould send aRefererheader with a value ofhttps://example.com/page.html.Navigations from that same page to
https://not.example.com/would send aRefererheader with a value ofhttps://example.com/, even to URLs that are not a priori authenticated URLs.3.7. "
-strict-origin-when-cross-origin"The "
strict-origin-when-cross-origin" policy specifies that a +3.7. "
+strict-origin-when-cross-origin"The "
+ referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client when making cross-origin requests:strict-origin-when-cross-origin" policy specifies that a full URL, stripped for use as a referrer, is sent as - referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client when making cross-origin requests:- from a TLS-protected environment settings object to a a priori authenticated URL, and
- from non-TLS-protected environment settings objects to
@@ -1338,50 +515,50 @@
Referer HTTP header will not be sent.
- If a document at-https://example.com/page.htmlsets a policy of "strict-origin-when-cross-origin", then navigations tohttps://example.com/not-page.htmlwould send aRefererheader with a value ofhttps://example.com/page.html. + If a document athttps://example.com/page.htmlsets a policy of "strict-origin-when-cross-origin", then navigations tohttps://example.com/not-page.htmlwould send aRefererheader with a value ofhttps://example.com/page.html.Navigations from that same page to
https://not.example.com/would send aRefererheader with a value ofhttps://example.com/.Navigations from that same page to
http://not.example.com/would send noRefererheader.3.8. "
-unsafe-url"The "
unsafe-url" policy specifies that a full URL, stripped for use as a referrer, is sent along with - both cross-origin requests and same-origin requests made from +3.8. "
+unsafe-url"The "
unsafe-url" policy specifies that a full URL, stripped for use as a referrer, is sent along with + both cross-origin requests and same-origin requests made from a particular request client.If a document at+ of "https://example.com/sekrit.htmlsets a policy - of "unsafe-url", then navigations tohttp://not.example.com/(and every other origin) would send aRefererHTTP header with a value ofhttps://example.com/sekrit.html.unsafe-url", then navigations tohttp://not.example.com/(and every other origin) would send aRefererHTTP header with a value ofhttps://example.com/sekrit.html.
Note: The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.
3.9. The empty string
-The empty string "" corresponds to no referrer policy, causing a - fallback to a referrer policy defined elsewhere, or in the case where - no such higher-level policy is available, defaulting to "
no-referrer-when-downgrade". This defaulting happens in +The empty string "" corresponds to no referrer policy, causing a + fallback to a referrer policy defined elsewhere, or in the case where + no such higher-level policy is available, defaulting to "
-no-referrer-when-downgrade". This defaulting happens in the §7.3 Determine request’s Referrer algorithm.Given a HTMLaelement without any declaredreferrerpolicyattribute, its referrer policy is "". Thus, navigation requests initiated +Given a HTML+ document. If thataelement without any declaredreferrerpolicyattribute, its referrer policy is "". Thus, navigation requests initiated by clicking on thataelement will be sent with the referrer policy of theaelement’s node - document. If thatDocumenthas "" as its referrer policy, the §7.3 Determine request’s Referrer algorithm will treat "" the same as "no-referrer-when-downgrade".Documenthas "" as its referrer policy, the §7.3 Determine request’s Referrer algorithm will treat "" the same as "no-referrer-when-downgrade".4. Referrer Policy Delivery
-A request’s referrer policy is delivered in one of five ways:
+A request’s referrer policy is delivered in one of five ways:
- Via the
Referrer-PolicyHTTP header (defined in §4.1 Delivery via Referrer-Policy header). - - Via a
metaelement with anameofreferrer. + - Via a
metaelement with anameofreferrer. - Via a
referrerpolicycontent attribute on ana,area,img,iframe, orlinkelement. - Via the
noreferrerlink relation on ana,area, orlinkelement. - Implicitly, via inheritance.
4.1. Delivery via Referrer-Policy header
-The
-Referrer-PolicyHTTP header specifies the referrer policy that the user agent applies when determining what referrer information should be included with requests - made, and with browsing contexts created from the context of the protected resource. + made, and with browsing contexts created from the context of the protected resource. The syntax for the name and value of the header are described by the following ABNF grammar:"Referrer-Policy:" 1#policy-token +
"Referrer-Policy:" 1#policy-token
-policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url" +
policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url"
Note: The header name does not share the HTTP Referer header’s misspelling.
§5 Integration with Fetch and §6 Integration with HTML describe @@ -1398,7 +575,7 @@
4.2. Delivery via
metaThis section is not normative.
-The HTML Standard defines the
referrerkeyword for themetaelement, which allows setting the referrer +The HTML Standard defines the
referrerkeyword for themetaelement, which allows setting the referrer policy via markup.@@ -1407,15 +584,16 @@ referrer policy attributes which applies to several of its elements, for example: -
+<a href="http://example.com" referrerpolicy="origin"><a href="http://example.com" referrerpolicy="origin"> +4.4. Nested browsing contexts
This section is not normative.
The HTML Standard and Fetch Standard define how nested browsing contexts that are not created from responses, such as
+ theiriframeelements with - theirsrcdocattribute set, or created from a blob URL, inherit - their referrer policy from the creator browsing context or blob URL.srcdocattribute set, or created from a blob URL, inherit + their referrer policy from the creator browsing context or blob URL.@@ -1432,7 +610,7 @@ 6. Integration with HTML
This section is not normative.
-The HTML Standard determines the referrer policy of any response +
The HTML Standard determines the referrer policy of any response received during navigation or while running a worker, and uses the result to set the resulting
DocumentorWorkerGlobalScope's referrer policy. This is later used by the corresponding environment @@ -1447,8 +625,8 @@7. Algorithms
-7.1. Parse a referrer policy from a
-Referrer-PolicyheaderGiven a
+Responseresponse, the following steps return a referrer policy according to response’s `Referrer-Policy` header:7.1. Parse a referrer policy from a
+Referrer-PolicyheaderGiven a
Responseresponse, the following steps return a referrer policy according to response’s `Referrer-Policy` header:- Let policy-tokens be the result of
parsing `
Referrer-Policy` in response’s header list. @@ -1459,7 +637,7 @@7.2. Set request’s referrer policy on redirect
Given a request request and a response actualResponse, - this algorithm updates request’s associated referrer policy according to the Referrer-Policy header (if any) in actualResponse.
+ this algorithm updates request’s associated referrer policy according to the Referrer-Policy header (if any) in actualResponse.
- Let policy be the result of executing §7.1 Parse a referrer policy from a Referrer-Policy header on actualResponse.
- If policy is not the empty string, then set request’s
@@ -1467,52 +645,49 @@
7.3. Determine request’s Referrer
Given a
-Requestrequest, we can determine the correct - referrer information to send by examining the referrer policy associated with it, as detailed in the following steps, which return + referrer information to send by examining the referrer policy associated with it, as detailed in the following steps, which return eitherno referreror a URL:Note: If Fetch is performing a navigation in response to a link of type
noreferrer, then request’sreferrerwill beno referrer, and Fetch won’t call - into this algorithm.-
-
- Let policy be request’s associated referrer policy. -
- Let environment be request’s
client. + - Let policy be request’s associated referrer policy. +
- Let environment be request’s client.
-
- If request’s
referreris a URL, then let referrerSource be request’sreferrer. Otherwise: --
-
-
- If environment’s global object is a
Windowobject: --
-
- Let document be the
Documentobject of the active document of the browsing context of environment’s responsible browsing context. -
- Let document be the
-
- Otherwise, environment’s global object is a
WorkerGlobalScope: --
-
- Let source be the API referrer source specified by the incumbent settings object. -
- If source is a URL, let referrerSource be source, otherwise let document be source. -
-
- If document is set, execute the following steps:
+ Switch on request’s referrer:
+
-
+
- "
client" + -
-
-
- If document’s origin is an opaque
- origin (because, for example, it has been sandboxed
- into a unique origin), return
no referrerand - abort these steps. - - While document corresponds to an iframe srcdoc Document,
- let document be that Document’s browsing context’s browsing context container’s
Document. - - Let referrerSource be document’s URL. +
-
+ If environment’s global
+ object is a
Windowobject, then +-
+
- Let document be the active document of environment’s responsible browsing context. +
- If document’s origin is an opaque origin,
+ return
no referrer. + - While document is an
iframe srcdocdocument, let document be document’s browsing context’s browsing context + container’s node document. + - Let referrerSource be document’s URL. +
- Otherwise, let referrerSource be environment’s creation + URL.
- If document’s origin is an opaque
- origin (because, for example, it has been sandboxed
- into a unique origin), return
- "
- a URL +
- Let referrerSource be request’s referrer. +
-
- If environment’s global object is a
Note: If request’s referrer is
+ "no-referrer", Fetch will not call into this algorithm.
origin-only flag set to true.
+ referrer, with the origin-only flag set to true.
-
-
- "
no-referrer" +- "
no-referrer" - "
- Return
no referrer- - "
origin" +- "
origin" - "
- Return referrerOrigin -
- "
unsafe-url" +- "
unsafe-url" - "
- Return referrerURL. -
- "
strict-origin" +- "
strict-origin" - "
-
-
@@ -1524,10 +699,10 @@
- Return referrerOrigin.
-
@@ -1524,10 +699,10 @@
- "
strict-origin-when-cross-origin" +- "
strict-origin-when-cross-origin" - "
-
-
-
- If request is a same-origin request, then +
- If request is a same-origin request, then return referrerURL.
-
If environment is not null:
@@ -1541,22 +716,21 @@
- Return referrerOrigin.
- "
same-origin" +- "
same-origin" - "
-
-
-
- If request is a same-origin request, then +
- If request is a same-origin request, then return referrerURL.
- Otherwise, return
no referrer.
- "
origin-when-cross-origin" +- "
origin-when-cross-origin" - "
-
-
-
- If request is a cross-origin request, then +
- If request is a cross-origin request, then return referrerOrigin.
- Otherwise, return referrerURL.
- "
no-referrer-when-downgrade" -- the empty string +
- "
no-referrer-when-downgrade" - the empty string +
-
-
@@ -1569,12 +743,14 @@
Return referrerURL.
-
@@ -1569,12 +743,14 @@
Note: Fetch will ensure request’s referrer policy is not the + empty string before calling this algorithm.
7.4. Strip url for use as a referrer
Certain portions of URLs MUST not be included when sending a URL as the value
of a `Referer` header: a URLs fragment, username, and password
components should be stripped from the URL before it’s sent out. This
- algorithm accepts a origin-only flag, which defaults
+ algorithm accepts a origin-only flag, which defaults
to false. If set to true, the algorithm will
additionally remove the URL’s path and query components, leaving only the
scheme, host, and port.
Set url’s password to null.
Set url’s fragment to null.
- If the origin-only flag is true,
+ If the origin-only flag is true,
then:
- Set url’s path to
null.
@@ -1595,27 +771,27 @@
- Return url.
7.5. Determine token’s Policy
- Given a string token (for example, the value of a Referrer-Policy header), this algorithm will return the referrer policy it refers to:
+ Given a string token (for example, the value of a Referrer-Policy header), this algorithm will return the referrer policy it refers to:
- If token is an ASCII case-insensitive match for the
- strings "
never" or "no-referrer", return "no-referrer".
+ strings "never" or "no-referrer", return "no-referrer".
- If token is ASCII case-insensitive match for the string
"
default" or "no-referrer-when-downgrade",
- return "no-referrer-when-downgrade".
+ return "no-referrer-when-downgrade".
- If token is an ASCII case-insensitive match for the
- string "
origin", return "origin".
+ string "origin", return "origin".
- If token is an ASCII case-insensitive match for the
- string "
strict-origin", return "strict-origin".
+ string "strict-origin", return "strict-origin".
- If token is an ASCII case-insensitive match for the
- string "
strict-origin-when-cross-origin", return "strict-origin-when-cross-origin".
+ string "strict-origin-when-cross-origin", return "strict-origin-when-cross-origin".
- If token is an ASCII case-insensitive match for the
- string "
same-origin", return "same-origin".
+ string "same-origin", return "same-origin".
- If token is ASCII case-insensitive match for the string
- "
origin-when-cross-origin", return "origin-when-cross-origin".
+ "origin-when-cross-origin", return "origin-when-cross-origin".
- If token is ASCII case-insensitive match for the strings
"
always" or "unsafe-url",
- return "unsafe-url".
- - If token is empty, return "
no-referrer".
+ return "unsafe-url".
+ - If token is empty, return "
no-referrer".
- Return the empty string.
Note: Authors are encouraged to avoid the legacy keywords never, default, and always. The
@@ -1628,22 +804,22 @@
null.
null.
origin-only flag is true,
+ If the origin-only flag is true,
then:
- Set url’s path to
null. @@ -1595,27 +771,27 @@- Return url.
7.5. Determine token’s Policy
-Given a string token (for example, the value of a Referrer-Policy header), this algorithm will return the referrer policy it refers to:
Given a string token (for example, the value of a Referrer-Policy header), this algorithm will return the referrer policy it refers to:
- If token is an ASCII case-insensitive match for the
- strings "
never" or "no-referrer", return "no-referrer". + strings "never" or "no-referrer", return "no-referrer". - If token is ASCII case-insensitive match for the string
"
default" or "no-referrer-when-downgrade", - return "no-referrer-when-downgrade". + return "no-referrer-when-downgrade". - If token is an ASCII case-insensitive match for the
- string "
origin", return "origin". + string "origin", return "origin". - If token is an ASCII case-insensitive match for the
- string "
strict-origin", return "strict-origin". + string "strict-origin", return "strict-origin". - If token is an ASCII case-insensitive match for the
- string "
strict-origin-when-cross-origin", return "strict-origin-when-cross-origin". + string "strict-origin-when-cross-origin", return "strict-origin-when-cross-origin". - If token is an ASCII case-insensitive match for the
- string "
same-origin", return "same-origin". + string "same-origin", return "same-origin". - If token is ASCII case-insensitive match for the string
- "
origin-when-cross-origin", return "origin-when-cross-origin". + "origin-when-cross-origin", return "origin-when-cross-origin". - If token is ASCII case-insensitive match for the strings
"
always" or "unsafe-url", - return "unsafe-url". - - If token is empty, return "
no-referrer". + return "unsafe-url". + - If token is empty, return "
no-referrer". - Return the empty string.
Note: Authors are encouraged to avoid the legacy keywords never, default, and always. The
@@ -1628,22 +804,22 @@
11. Acknowledgements
@@ -1668,22 +844,22 @@Conformance
Document conventions
Conformance requirements are expressed with a combination of - descriptive assertions and RFC 2119 terminology. The key words "MUST", - "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", - "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this + descriptive assertions and RFC 2119 terminology. The key words “MUST”, + “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, + “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.
All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]
-Examples in this specification are introduced with the words "for example" +
Examples in this specification are introduced with the words “for example”
or are set apart from the normative text with class="example",
like this:
Informative notes begin with the word "Note" and are set apart from the +
Informative notes begin with the word “Note” and are set apart from the
normative text with class="note", like this:
Note, this is an informative note.
Conformant Algorithms
@@ -1696,9 +872,10 @@
- Index
- Terms defined by this specification
-
+
+ Index
+ Terms defined by this specification
+
- cross-origin request, in §2
- "no-referrer", in §3
- "no-referrer-when-downgrade", in §3.1
@@ -1715,36 +892,34 @@
The empty string, in §3.8
- "unsafe-url", in §3.7
- Terms defined by reference
-
+ Terms defined by reference
+
-
- [FETCH] defines the following terms:
+ [FETCH] defines the following terms:
-
- [HTML] defines the following terms:
+ [HTML] defines the following terms:
- Document
- a
- active document
- an iframe srcdoc document
-
- api referrer source
- ascii case-insensitive match
-
- browsing context
+
- browsing context
- browsing context container
+
- creation url
- environment settings object
- fragment
-
- global object
-
- incumbent settings object
+
- global object
- link
- name
- navigation
@@ -1758,39 +933,41 @@
running a worker
-
- [MIX] defines the following terms:
+ [MIX] defines the following terms:
-
- [RFC6454] defines the following terms:
+ [RFC6454] defines the following terms:
-
- [RFC7231] defines the following terms:
+ [RFC7231] defines the following terms:
-
- [url] defines the following terms:
+ [WHATWG-URL] defines the following terms:
-
- [wsc-ui] defines the following terms:
+ [wsc-ui] defines the following terms:
-
- [dom-ls] defines the following terms:
+ [WHATWG-DOM] defines the following terms:
-
- [HTML] defines the following terms:
+ [HTML] defines the following terms:
- Window
- WorkerGlobalScope
@@ -1801,7 +978,7 @@
srcdoc
-
- [url] defines the following terms:
+ [WHATWG-URL] defines the following terms:
- References
- Normative References
+ References
+ Normative References
- - [FETCH]
+
- [FETCH]
- Anne van Kesteren. Fetch. Living Standard. URL: http://fetch.spec.whatwg.org/
-
- [HTML]
+
- [HTML]
- Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
-
- [MIX]
+
- [MIX]
- Mike West. Mixed Content. ED. URL: https://w3c.github.io/webappsec/specs/mixedcontent/
-
- [RFC6454]
+
- [RFC2119]
+
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
+
- [RFC6454]
- Adam Barth. The Web Origin Concept. RFC. URL: http://www.ietf.org/rfc/rfc6454.txt
-
- [RFC7231]
+
- [RFC7231]
- Roy T. Fielding; Julian F. Reschke. HTTP/1.1 Semantics and Content. RFC. URL: http://www.ietf.org/rfc/rfc7231.txt
-
- [DOM-LS]
-
- Document Object Model URL: https://dom.spec.whatwg.org/
-
- [RFC2119]
-
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
-
- [URL]
-
- Anne van Kesteren; Sam Ruby. URL. 9 December 2014. WD. URL: http://www.w3.org/TR/url-1/
-
- [WSC-UI]
-
- Thomas Roessler; Anil Saldhana. Web Security Context: User Interface Guidelines. 12 August 2010. REC. URL: http://www.w3.org/TR/wsc-ui/
+
- [WHATWG-DOM]
+
- Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
+
- [WHATWG-URL]
+
- Anne van Kesteren; Sam Ruby. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
+
- [WSC-UI]
+
- Thomas Roessler; Anil Saldhana. Web Security Context: User Interface Guidelines. 12 August 2010. REC. URL: https://www.w3.org/TR/wsc-ui/
- Informative References
+ Informative References
- - [CAPABILITY-URLS]
+
- [CAPABILITY-URLS]
- Jenni Tennison. Capability URLs. WD. URL: http://www.w3.org/TR/capability-urls/
- Issues Index
+ Issues Index
TODO: define content attribute integrations. For example, for
img elements, HTML should set the request’s associated referrer policy
before fetching. ↵
-
-
\ No newline at end of file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/index.src.html b/index.src.html
index 202012c..d1aa167 100644
--- a/index.src.html
+++ b/index.src.html
@@ -49,6 +49,7 @@ Referrer Policy
text: forced sandboxing flag set
text: auxiliary browsing context
text: browsing context
+ text: browsing context; for: Document; url: concept-document-bc
text: parent browsing context
text: ancestor browsing context
text: browsing context container
@@ -85,10 +86,9 @@ Referrer Policy
text: task source
text: tasks; url: concept-task
text: environment settings object
- text: incumbent settings object
text: responsible browsing context
- text: API referrer source
- text: global object
+ text: global object; for: environment settings object; url: concept-settings-object-global
+ text: creation URL
urlPrefix: workers.html
text: running a worker; url: run a worker
urlPrefix: dom.html
@@ -110,6 +110,7 @@ Referrer Policy
spec: URL; urlPrefix: https://url.spec.whatwg.org
type: dfn
text: local scheme
+ text: URL
type: interface
text: URL
spec: WSC-UI; urlPrefix: http://www.w3.org/TR/2010/REC-wsc-ui-20100812/
@@ -683,74 +684,53 @@
associated with it, as detailed in the following steps, which return
either no referrer or a URL:
- Note: If Fetch is performing a navigation in response to a link of type
- noreferrer, then request's
- referrer will be no referrer, and Fetch won't call
- into this algorithm.
-
-
Let policy be |request|'s associated referrer policy.
-
- Let environment be request's
client.
+ Let environment be request's client.
-
- If request's
referrer is a URL, then let
- referrerSource be request's
- referrer. Otherwise:
-
-
- -
- If environment's global object is a {{Window}}
- object:
+ Switch on |request|'s referrer:
+
+ - "
client"
+ -
-
- Let document be the {{Document}} object of the
- active document of the browsing context of
- environment's responsible browsing context.
-
-
-
- -
- Otherwise, environment's global object is a
- {{WorkerGlobalScope}}:
+ If |environment|'s global
+ object is a {{Window}} object, then
-
- -
- Let source be the API referrer source
- specified by the incumbent settings object.
-
- -
- If source is a URL, let referrerSource
- be source, otherwise let document be
- source.
-
-
-
- -
- If document is set, execute the following steps:
+
+ - Let |document| be the active document of
+ |environment|'s responsible browsing context.
-
- -
- If document's origin is an opaque
- origin (because, for example, it has been sandboxed
- into a unique origin), return
no referrer and
- abort these steps.
-
- -
- While document corresponds to an iframe srcdoc Document,
- let document be that Document's browsing context's
- browsing context container's {{Document}}.
-
- -
- Let referrerSource be document's URL.
+
- If |document|'s origin is an opaque origin,
+ return
no referrer.
+
+ - While |document| is an
iframe srcdoc
+ document, let |document| be |document|'s browsing context's browsing context
+ container's node document.
+
+ - Let |referrerSource| be |document|'s URL.
+
+
+ - Otherwise, let |referrerSource| be |environment|'s creation
+ URL.
-
-
+
+
+ - a URL
+ - Let |referrerSource| be |request|'s referrer.
+
+ Note: If request's referrer is
+ "no-referrer", Fetch will not call into this algorithm.
-
@@ -848,7 +828,6 @@
- "
no-referrer-when-downgrade"
- - the empty string
-
-
@@ -867,6 +846,9 @@
+
+ Note: Fetch will ensure |request|'s referrer policy is not the
+ empty string before calling this algorithm.
Index
+Terms defined by this specification
+- cross-origin request, in §2
- "no-referrer", in §3
- "no-referrer-when-downgrade", in §3.1
@@ -1715,36 +892,34 @@
The empty string, in §3.8
- "unsafe-url", in §3.7
Terms defined by reference
--
+
- - [FETCH] defines the following terms: + [FETCH] defines the following terms:
-
- [HTML] defines the following terms:
+ [HTML] defines the following terms:
- Document
- a
- active document
- an iframe srcdoc document -
- api referrer source
- ascii case-insensitive match -
- browsing context +
- browsing context
- browsing context container +
- creation url
- environment settings object
- fragment -
- global object -
- incumbent settings object +
- global object
- link
- name
- navigation
@@ -1758,39 +933,41 @@
running a worker
- - [MIX] defines the following terms: + [MIX] defines the following terms:
- - [RFC6454] defines the following terms: + [RFC6454] defines the following terms:
- - [RFC7231] defines the following terms: + [RFC7231] defines the following terms:
- - [url] defines the following terms: + [WHATWG-URL] defines the following terms:
- - [wsc-ui] defines the following terms: + [wsc-ui] defines the following terms:
- - [dom-ls] defines the following terms: + [WHATWG-DOM] defines the following terms:
-
- [HTML] defines the following terms:
+ [HTML] defines the following terms:
- Window
- WorkerGlobalScope
@@ -1801,7 +978,7 @@
srcdoc
- - [url] defines the following terms: + [WHATWG-URL] defines the following terms:
- [FETCH]
+
- [FETCH]
- Anne van Kesteren. Fetch. Living Standard. URL: http://fetch.spec.whatwg.org/ -
- [HTML]
+
- [HTML]
- Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/ -
- [MIX]
+
- [MIX]
- Mike West. Mixed Content. ED. URL: https://w3c.github.io/webappsec/specs/mixedcontent/ -
- [RFC6454]
+
- [RFC2119] +
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119 +
- [RFC6454]
- Adam Barth. The Web Origin Concept. RFC. URL: http://www.ietf.org/rfc/rfc6454.txt -
- [RFC7231]
+
- [RFC7231]
- Roy T. Fielding; Julian F. Reschke. HTTP/1.1 Semantics and Content. RFC. URL: http://www.ietf.org/rfc/rfc7231.txt -
- [DOM-LS] -
- Document Object Model URL: https://dom.spec.whatwg.org/ -
- [RFC2119] -
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119 -
- [URL] -
- Anne van Kesteren; Sam Ruby. URL. 9 December 2014. WD. URL: http://www.w3.org/TR/url-1/ -
- [WSC-UI] -
- Thomas Roessler; Anil Saldhana. Web Security Context: User Interface Guidelines. 12 August 2010. REC. URL: http://www.w3.org/TR/wsc-ui/ +
- [WHATWG-DOM] +
- Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/ +
- [WHATWG-URL] +
- Anne van Kesteren; Sam Ruby. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/ +
- [WSC-UI] +
- Thomas Roessler; Anil Saldhana. Web Security Context: User Interface Guidelines. 12 August 2010. REC. URL: https://www.w3.org/TR/wsc-ui/
- [CAPABILITY-URLS]
+
- [CAPABILITY-URLS]
- Jenni Tennison. Capability URLs. WD. URL: http://www.w3.org/TR/capability-urls/
- Let policy be |request|'s associated referrer policy.
-
- Let environment be request's
client. + Let environment be request's client. -
- If request's
referreris a URL, then let - referrerSource be request's -referrer. Otherwise: - --
-
-
- If environment's global object is a {{Window}}
- object:
+ Switch on |request|'s referrer:
+
-
+
- "
client"
+ -
- - Let document be the {{Document}} object of the - active document of the browsing context of - environment's responsible browsing context. - -
- - "
-
- Otherwise, environment's global object is a
- {{WorkerGlobalScope}}:
+ If |environment|'s global
+ object is a {{Window}} object, then
-
-
-
- - Let source be the API referrer source - specified by the incumbent settings object. - -
- - If source is a URL, let referrerSource - be source, otherwise let document be - source. - -
- -
- If document is set, execute the following steps:
+
-
+
- Let |document| be the active document of + |environment|'s responsible browsing context. -
-
- If document's origin is an opaque
- origin (because, for example, it has been sandboxed
- into a unique origin), return
no referrerand - abort these steps. -
- - - While document corresponds to an iframe srcdoc Document, - let document be that Document's browsing context's - browsing context container's {{Document}}. - -
- - Let referrerSource be document's URL. +
- If |document|'s origin is an opaque origin,
+ return
no referrer.
+
+ - While |document| is an
iframe srcdoc+ document, let |document| be |document|'s browsing context's browsing context + container's node document.
+
+ - Let |referrerSource| be |document|'s URL. +
-
-
+
+ - Otherwise, let |referrerSource| be |environment|'s creation + URL.
- -
- If environment's global object is a {{Window}}
- object:
+ Switch on |request|'s referrer:
+
- a URL +
- Let |referrerSource| be |request|'s referrer. + + Note: If request's referrer is + "
-
@@ -848,7 +828,6 @@
- "
-no-referrer-when-downgrade"- the empty string
-
@@ -867,6 +846,9 @@
- "
Terms defined by reference
+References
-Normative References
+References
+Normative References
-
-
Informative References
+Informative References
-
-
Issues Index
+Issues Index
TODO: define content attribute integrations. For example, for
img elements, HTML should set the request’s associated referrer policy
before fetching. ↵