From 58679acc9b1d0af68f9056ed5f9f214c9d2f99a9 Mon Sep 17 00:00:00 2001 From: Jochen Eisinger Date: Thu, 25 Oct 2018 10:56:36 +0200 Subject: [PATCH] rel="noreferrer" is not supported for elements --- index.html | 1222 ++++++++++++++++++++++++++++++++++-------------- index.src.html | 4 +- 2 files changed, 862 insertions(+), 364 deletions(-) diff --git a/index.html b/index.html index 1fe1889..39a49d8 100644 --- a/index.html +++ b/index.html @@ -992,57 +992,93 @@ .toc > li li { font-weight: normal; } .toc > li li li { font-size: 95%; } .toc > li li li li { font-size: 90%; } + .toc > li li li li .secno { font-size: 85%; } .toc > li li li li li { font-size: 85%; } + .toc > li li li li li .secno { font-size: 100%; } - .toc > li { margin: 1.5rem 0; } - .toc > li li { margin: 0.3rem 0; } - .toc > li li li { margin-left: 2rem; } + /* @supports not (display:grid) { */ + .toc > li { margin: 1.5rem 0; } + .toc > li li { margin: 0.3rem 0; } + .toc > li li li { margin-left: 2rem; } - /* Section numbers in a column of their own */ - .toc .secno { - float: left; - width: 4rem; - white-space: nowrap; - } - .toc > li li li li .secno { - font-size: 85%; - } - .toc > li li li li li .secno { - font-size: 100%; - } + /* Section numbers in a column of their own */ + .toc .secno { + float: left; + width: 4rem; + white-space: nowrap; + } - :not(li) > .toc { margin-left: 5rem; } - .toc .secno { margin-left: -5rem; } - .toc > li li li .secno { margin-left: -7rem; } - .toc > li li li li .secno { margin-left: -9rem; } - .toc > li li li li li .secno { margin-left: -11rem; } + .toc li { + clear: both; + } - /* Tighten up indentation in narrow ToCs */ - @media (max-width: 30em) { - :not(li) > .toc { margin-left: 4rem; } - .toc .secno { margin-left: -4rem; } - .toc > li li li { margin-left: 1rem; } - .toc > li li li .secno { margin-left: -5rem; } - .toc > li li li li .secno { margin-left: -6rem; } - .toc > li li li li li .secno { margin-left: -7rem; } - } - @media screen and (min-width: 78em) { - body:not(.toc-inline) :not(li) > .toc { margin-left: 4rem; } - body:not(.toc-inline) .toc .secno { margin-left: -4rem; } - body:not(.toc-inline) .toc > li li li { margin-left: 1rem; } - body:not(.toc-inline) .toc > li li li .secno { margin-left: -5rem; } - body:not(.toc-inline) .toc > li li li li .secno { margin-left: -6rem; } - body:not(.toc-inline) .toc > li li li li li .secno { margin-left: -7rem; } - } - body.toc-sidebar #toc :not(li) > .toc { margin-left: 4rem; } - body.toc-sidebar #toc .toc .secno { margin-left: -4rem; } - body.toc-sidebar #toc .toc > li li li { margin-left: 1rem; } - body.toc-sidebar #toc .toc > li li li .secno { margin-left: -5rem; } - body.toc-sidebar #toc .toc > li li li li .secno { margin-left: -6rem; } - body.toc-sidebar #toc .toc > li li li li li .secno { margin-left: -7rem; } - - .toc li { - clear: both; + :not(li) > .toc { margin-left: 5rem; } + .toc .secno { margin-left: -5rem; } + .toc > li li li .secno { margin-left: -7rem; } + .toc > li li li li .secno { margin-left: -9rem; } + .toc > li li li li li .secno { margin-left: -11rem; } + + /* Tighten up indentation in narrow ToCs */ + @media (max-width: 30em) { + :not(li) > .toc { margin-left: 4rem; } + .toc .secno { margin-left: -4rem; } + .toc > li li li { margin-left: 1rem; } + .toc > li li li .secno { margin-left: -5rem; } + .toc > li li li li .secno { margin-left: -6rem; } + .toc > li li li li li .secno { margin-left: -7rem; } + } + /* } */ + + @supports (display:grid) { + /* Use #toc over .toc to override non-@supports rules. */ + #toc { + display: grid; + align-content: start; + grid-template-columns: auto 1fr; + grid-column-gap: 1rem; + column-gap: 1rem; + grid-row-gap: .6rem; + row-gap: .6rem; + } + #toc h2 { + grid-column: 1 / -1; + margin-bottom: 0; + } + #toc ol, + #toc li, + #toc a { + display: contents; + /* Switch to subgrid when supported */ + } + #toc span { + margin: 0; + } + #toc > .toc > li > a > span { + /* The spans of the top-level list, + comprising the first items of each top-level section. */ + margin-top: 1.1rem; + } + #toc#toc .secno { /* Ugh, need more specificity to override base.css */ + grid-column: 1; + width: auto; + margin-left: 0; + } + #toc .content { + grid-column: 2; + width: auto; + margin-right: 1rem; + } + #toc .content:hover { + background: rgba(75%, 75%, 75%, .25); + border-bottom: 3px solid #054572; + margin-bottom: -3px; + } + #toc li li li .content { + margin-left: 1rem; + } + #toc li li li li .content { + margin-left: 2rem; + } } @@ -1176,9 +1212,9 @@ } } - + - + +.dfn-paneled { cursor: pointer; } +

Referrer Policy

-

Editor’s Draft,

+

Editor’s Draft,

This version: @@ -1435,7 +1471,7 @@

https://github.com/w3c/webappsec-referrer-policy/commits/master/index.src.html
Feedback: -
public-webappsec@w3.org with subject line “[referrer-policy] … message topic …” (archives) +
public-webappsec@w3.org with subject line “[REFERRER-POLICY] … message topic …” (archives)
Issue Tracking:
GitHub
Inline In Spec @@ -1447,7 +1483,7 @@

-

Copyright © 2017 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.

+

Copyright © 2018 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.

@@ -1461,19 +1497,19 @@

https://github.com/w3c/webappsec.

-

The (archived) public mailing list public-webappsec@w3.org (see instructions) +

The (archived) public mailing list public-webappsec@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, - please put the text “referrer-policy” in the subject, + please put the text “REFERRER-POLICY” in the subject, preferably like this: - “[referrer-policy] …summary of comment…

+ “[REFERRER-POLICY] …summary of comment…

This document was produced by the Web Application Security Working Group.

This document was produced by a group operating under - the 5 February 2004 W3C Patent Policy. + the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. - An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

-

This document is governed by the 1 March 2017 W3C Process Document.

+ An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

+

This document is governed by the 1 February 2018 W3C Process Document.

@@ -1604,30 +1640,30 @@

2. referrer policy.

Every environment settings object has an algorithm for obtaining a referrer policy, which is used by default for all requests with that environment settings object as their client.

-
same-origin request +
same-origin request
A Request request is a same-origin request if request’s origin and the origin of request’s current url are the same. -
cross-origin request +
cross-origin request
A Request is a cross-origin request if it is not same-origin.

3. Referrer Policies

-

A referrer policy is the empty string, "no-referrer", +

A referrer policy is the empty string, "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

-
enum ReferrerPolicy {
-  "",
-  "no-referrer",
-  "no-referrer-when-downgrade",
-  "same-origin",
-  "origin",
-  "strict-origin",
-  "origin-when-cross-origin",
-  "strict-origin-when-cross-origin",
-  "unsafe-url"
+
enum ReferrerPolicy {
+  "",
+  "no-referrer",
+  "no-referrer-when-downgrade",
+  "same-origin",
+  "origin",
+  "strict-origin",
+  "origin-when-cross-origin",
+  "strict-origin-when-cross-origin",
+  "unsafe-url"
 };
 

     
Each possible referrer policy is explained below. A detailed
@@ -1636,37 +1672,38 @@ 
environment settings
   object is used as a request client. This policy may be tightened
   for specific requests via mechanisms like the noreferrer link type.

-    
3.1. "no-referrer"

+    
3.1. "no-referrer"

     
The simplest policy is "no-referrer", which specifies
   that no referrer information is to be sent along with requests made from a
   particular request client to any origin. The header will be
   omitted entirely.

-    
 If a document at https://example.com/page.html sets a policy of "no-referrer", then navigations to https://example.com/ (or any other URL) would send no Referer header. 

-    
3.2. "no-referrer-when-downgrade"

+    
 If a document at https://example.com/page.html sets a policy of "no-referrer", then navigations to https://example.com/ (or any other URL) would send no Referer header. 

+    
3.2. "no-referrer-when-downgrade"

     
The "no-referrer-when-downgrade" policy sends a full URL
-  along with requests from a TLS-protected environment settings
-  object to a potentially trustworthy URL, and requests from clients which are not TLS-protected to any origin.

-    
Requests from TLS-protected clients to non- potentially trustworthy URLs, on the other hand, will contain no
+  along with requests from environment settings objects whose HTTPS state is "`modern`" to a potentially trustworthy URL, and requests from clients whose HTTPS state is not "`modern`"
+  to any origin.

+    
Requests from clients whose HTTPS state is "`modern`"
+  to non-potentially trustworthy URLs, on the other hand, will contain no
   referrer information. A Referer HTTP header will not be
   sent.

-    

-      If a document at https://example.com/page.html sets a policy of "no-referrer-when-downgrade", then navigations to https://not.example.com/ would send a Referer HTTP header with a value of https://example.com/page.html, as neither resource’s origin is a
+    

+      If a document at https://example.com/page.html sets a policy of "no-referrer-when-downgrade", then navigations to https://not.example.com/ would send a Referer HTTP header with a value of https://example.com/page.html, as neither resource’s origin is a
     non-potentially trustworthy URL. 
      
Navigations from that same page to http://not.example.com/ would send no Referer header.

     

     
This is a user agent’s default behavior, if no policy is otherwise specified.

-    
3.3. "same-origin"

+    
3.3. "same-origin"

     
The "same-origin" policy specifies that a
   full URL, stripped for use as a referrer, is sent as
   referrer information when making same-origin requests from a particular client.

     
Cross-origin requests, on the other hand, will contain no
   referrer information. A Referer HTTP header will not be
   sent.

-    

-      If a document at https://example.com/page.html sets a policy of "same-origin", then navigations to https://example.com/not-page.html would send a Referer header with a value of https://example.com/page.html. 
+    

+      If a document at https://example.com/page.html sets a policy of "same-origin", then navigations to https://example.com/not-page.html would send a Referer header with a value of https://example.com/page.html. 
      
Navigations from that same page to https://not.example.com/ would send no Referer header.

     

-    
3.4. "origin"

+    
3.4. "origin"

     
The "origin" policy specifies that only the ASCII serialization of the origin of the request client is sent as referrer information
   when making both same-origin requests and cross-origin requests from a particular client.

     
Note: The serialization of an origin looks like https://example.com. To ensure that a valid URL is sent in the
@@ -1675,24 +1712,25 @@ 
Note: The "origin" policy causes the origin of HTTPS
   referrers to be sent over the network as part of unencrypted HTTP requests.
   The "strict-origin" policy addresses this concern.

-    
 If a document at https://example.com/page.html sets a policy of "origin", then navigations to any origin would send a Referer header with a value
+    
 If a document at https://example.com/page.html sets a policy of "origin", then navigations to any origin would send a Referer header with a value
     of https://example.com/, even to URLs that are not potentially trustworthy URL. 

-    
3.5. "strict-origin"

+    
3.5. "strict-origin"

     
The "strict-origin" policy sends the ASCII serialization of the origin of the request client when making requests:

     
-    
Requests from TLS-protected request clients to non- potentially trustworthy URLs, on the other hand, will contain no
+    
Requests from request clients whose HTTPS state is "`modern`"
+  to non-potentially trustworthy URLs, on the other hand, will contain no
   referrer information. A Referer HTTP header will not be
   sent.

-    

-      If a document at https://example.com/page.html sets a policy of "strict-origin", then navigations to https://not.example.com would send a Referer header with a value of https://example.com/. 
+    

+      If a document at https://example.com/page.html sets a policy of "strict-origin", then navigations to https://not.example.com would send a Referer header with a value of https://example.com/. 
      
Navigations from that same page to http://not.example.com would send no Referer header.

     

-    
 If a document at http://example.com/page.html sets a policy of "strict-origin", then navigations to http://not.example.com or https://example.com would send a Referer header with a value of http://example.com/. 

-    
3.6. "origin-when-cross-origin"

+    
 If a document at http://example.com/page.html sets a policy of "strict-origin", then navigations to http://not.example.com or https://example.com would send a Referer header with a value of http://example.com/. 

+    
3.6. "origin-when-cross-origin"

     
The "origin-when-cross-origin" policy specifies that a
   full URL, stripped for use as a referrer, is sent as
   referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client is sent as referrer information
@@ -1703,43 +1741,43 @@ 
"strict-origin-when-cross-origin" policy
   addresses this concern.

-    

-      If a document at https://example.com/page.html sets a policy of "origin-when-cross-origin", then navigations to https://example.com/not-page.html would send a Referer header with a value of https://example.com/page.html. 
+    

+      If a document at https://example.com/page.html sets a policy of "origin-when-cross-origin", then navigations to https://example.com/not-page.html would send a Referer header with a value of https://example.com/page.html. 
      
Navigations from that same page to https://not.example.com/ would send a Referer header with a value of https://example.com/, even to URLs that are not potentially trustworthy URLs.

     

-    
3.7. "strict-origin-when-cross-origin"

+    
3.7. "strict-origin-when-cross-origin"

     
The "strict-origin-when-cross-origin" policy specifies that a
   full URL, stripped for use as a referrer, is sent as
   referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client when making cross-origin requests:

     
-    
Requests from TLS-protected clients to non- potentially trustworthy URLs, on the other hand, will contain no
+    
Requests from clients whose HTTPS state is "`modern`" to non- potentially trustworthy URLs, on the other hand, will contain no
   referrer information. A Referer HTTP header will not be
   sent.

-    

-      If a document at https://example.com/page.html sets a policy of "strict-origin-when-cross-origin", then navigations to https://example.com/not-page.html would send a Referer header with a value of https://example.com/page.html. 
+    

+      If a document at https://example.com/page.html sets a policy of "strict-origin-when-cross-origin", then navigations to https://example.com/not-page.html would send a Referer header with a value of https://example.com/page.html. 
      
Navigations from that same page to https://not.example.com/ would send a Referer header with a value of https://example.com/.

      
Navigations from that same page to http://not.example.com/ would send no Referer header.

     

-    
3.8. "unsafe-url"

+    
3.8. "unsafe-url"

     
The "unsafe-url" policy specifies that a full URL, stripped for use as a referrer, is sent along with
   both cross-origin requests and same-origin requests made from
   a particular client.

-    
 If a document at https://example.com/sekrit.html sets a policy
+    
 If a document at https://example.com/sekrit.html sets a policy
     of "unsafe-url", then navigations to http://not.example.com/ (and every other origin) would send a Referer HTTP header with a value of https://example.com/sekrit.html. 

     
Note: The policy’s name doesn’t lie; it is unsafe. This policy will leak
-  origins and paths from TLS-protected resources to insecure origins.
+  origins and paths from secure resources to insecure origins.
   Carefully consider the impact of setting such a policy for potentially
   sensitive documents.

-    
3.9. The empty string

+    
3.9. The empty string

     
The empty string "" corresponds to no referrer policy, causing a
   fallback to a referrer policy defined elsewhere, or in the case where
   no such higher-level policy is available, defaulting to "no-referrer-when-downgrade". This defaulting happens in
   the §8.3 Determine request’s Referrer algorithm.

-    
 Given a HTML a element without any declared referrerpolicy attribute, its referrer policy is the empty string. Thus, navigation
+    
 Given a HTML a element without any declared referrerpolicy attribute, its referrer policy is the empty string. Thus, navigation
     requests initiated by clicking on that a element will be sent
     with the referrer
     policy of the a element’s node document. If that Document has the empty string as its referrer policy, the §8.3 Determine request’s Referrer algorithm will treat the empty
@@ -1753,11 +1791,11 @@ 
§4.1 Delivery via Referrer-Policy header). 
      
  •  Via a meta element with a name of referrer. 
      
  •  Via a referrerpolicy content attribute on an a, area, img, iframe, or link element. 
-     
  •  Via the noreferrer link relation on an a, area, or link element. 
+     
  •  Via the noreferrer link relation on an a, or area element. 
      
  •  Implicitly, via inheritance. 
     
     
    4.1. Delivery via Referrer-Policy header
    
-    
    The Referrer-Policy HTTP header
+    
    The Referrer-Policy HTTP header
   specifies the referrer policy that the user agent applies when determining
   what referrer information should be included with requests made, and with browsing contexts created from the context of the protected
   resource.
    
@@ -1766,8 +1804,8 @@ 
    Section 7 of [RFC7230].
    
 
    "Referrer-Policy:" 1#(policy-token / extension-token)
 
    
-
    policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url"
-extension-token = 1*( ALPHA / "-" )
+
    policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url"
+extension-token = 1*( ALPHA / "-" )
 
    
     
    Note: The header name does not share the HTTP Referer header’s misspelling.
    
     
    Note: The purpose of extension-token is so that
@@ -1799,7 +1837,7 @@ 
    referrer policy
     attributes which applies to several of its elements, for example:
    
-
    <a href="http://example.com" referrerpolicy="origin">
+
    <a href="http://example.com" referrerpolicy="origin">
    • @@ -1846,8 +1884,8 @@

    location is non-null, set the referrer to its location, and the referrer policy to its referrer policy. -

    This requires that CSS style sheets process `Referrer-Policy` - headers, and store a referrer policy in the same way that Documents +

    This requires that CSS style sheets process `Referrer-Policy` + headers, and store a referrer policy in the same way that Documents do.

  • If a CSS style sheet with a null location is responsible for the request, set the referrer to its owner node’s node document’s URL, and the referrer policy to its owner node’s node document’s referrer policy. @@ -1881,7 +1919,7 @@

    §11.1 Unknown Policy Values.

  • Return policy. -

    8.2. Set request’s referrer policy on redirect

    +

    8.2. Set request’s referrer policy on redirect

    Given a request request and a response actualResponse, this algorithm updates request’s associated referrer policy according to the Referrer-Policy header (if any) in actualResponse.

      @@ -1889,7 +1927,7 @@

      If policy is not the empty string, then set request’s associated referrer policy to policy.

    -

    8.3. Determine request’s Referrer

    +

    8.3. Determine request’s Referrer

    Given a request request, we can determine the correct referrer information to send by examining the referrer policy associated with it, as detailed in the following steps, which return either no referrer or a URL:

    @@ -1940,7 +1978,7 @@

    If environment is not null:
      -
    1. If environment is TLS-protected and request’s current +
    2. If environment’s HTTPS state is "`modern`" and request’s current URL is not a potentially trustworthy URL, then return no referrer.
    @@ -1955,7 +1993,7 @@

    environment is not null:
    1. - If environment is TLS-protected and request’s current + If environment’s HTTPS state is "`modern`" and request’s current URL is not a potentially trustworthy URL
      1. Return no referrer. @@ -1983,7 +2021,7 @@

        If environment is not null:
          -
        1. If environment is TLS-protected and request’s current +
        2. If environment’s HTTPS state is "`modern`" and request’s current URL is not a potentially trustworthy URL, then return no referrer.
        @@ -1997,7 +2035,7 @@

        Certain portions of URLs must not be included when sending a URL as the value of a `Referer` header: a URLs fragment, username, and password components must be stripped from the URL before it’s sent out. This - algorithm accepts a origin-only flag, which defaults + algorithm accepts a origin-only flag, which defaults to false. If set to true, the algorithm will additionally remove the URL’s path and query components, leaving only the scheme, host, and port.

        @@ -2052,12 +2090,12 @@

        -
        Suppose older user agents don’t understand +
        Suppose older user agents don’t understand the "unsafe-url" policy. A site can specify an "origin" policy followed by an "unsafe-url" policy: older user agents will ignore the unknown "unsafe-url" value and use "origin", while newer user agents will use "unsafe-url" because it is the last to be processed.
        -
        - To specify multiple policy values in the Referrer-Policy header, a site can +
        + To specify multiple policy values in the Referrer-Policy header, a site can send multiple Referrer-Policy headers: 
        Referrer-Policy: no-referrer
 Referrer-Policy: unsafe-url
@@ -2090,8 +2128,8 @@ 
        Examples in this specification are introduced with the words “for example”
     or are set apart from the normative text with class="example",
     like this: 
        
-  
        
-    
+  
        
+    
    
        This is an example of an informative example.
        
   
        
   
        Informative notes begin with the word “Note” and are set apart from the
@@ -2118,177 +2156,640 @@ 
        
-     
      2. enum-value for ReferrerPolicy, in §3
      
      3. definition of, in §3
+     
      4. enum-value for ReferrerPolicy, in §3
     
-   
      5. no-referrer, in §3
-   
      6. no-referrer-when-downgrade, in §3
    
      7. 
     "no-referrer-when-downgrade"
     
-   
      8. origin, in §3
    
      9. 
     "origin"
     
    
      10. origin-only flag, in §8.4
-   
      11. origin-when-cross-origin, in §3
    
      12. 
     "origin-when-cross-origin"
     
    
      13. policy-token, in §4.1
    
      14. ReferrerPolicy, in §3
+   
      15. Referrer-Policy, in §4.1
    
      16. 
     referrer policy
     
-   
      17. Referrer-Policy, in §4.1
    
      18. referrer-policy header, in §4.1
    
      19. 
     "same-origin"
     
-   
      20. same-origin, in §3
    
      21. same-origin request, in §2
    
      22. Set request’s referrer policy on redirect, in §8.1
-   
      23. strict-origin, in §3
    
      24. 
     "strict-origin"
     
    
      25. 
     "strict-origin-when-cross-origin"
     
-   
      26. strict-origin-when-cross-origin, in §3
    
      27. The empty string, in §3.8
-   
      28. unsafe-url, in §3
    
      29. 
     "unsafe-url"
     
   
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
   
        Terms defined by reference
        
   
   
        References
        
@@ -2314,8 +2815,6 @@ 
        N
    
        Mike West. Secure Contexts. 15 September 2016. CR. URL: https://www.w3.org/TR/secure-contexts/
    
        [URL]
    
        Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
-   
        [WSC-UI]
-   
        Thomas Roessler; Anil Saldhana. Web Security Context: User Interface Guidelines. 12 August 2010. REC. URL: https://www.w3.org/TR/wsc-ui/
   
   
        Informative References
        
   
        
@@ -2323,16 +2822,16 @@ 
        Jenni Tennison. Capability URLs. WD. URL: http://www.w3.org/TR/capability-urls/
   
        
   
        IDL Index
        
-
        enum ReferrerPolicy {
-  "",
-  "no-referrer",
-  "no-referrer-when-downgrade",
-  "same-origin",
-  "origin",
-  "strict-origin",
-  "origin-when-cross-origin",
-  "strict-origin-when-cross-origin",
-  "unsafe-url"
+
        enum ReferrerPolicy {
+  "",
+  "no-referrer",
+  "no-referrer-when-downgrade",
+  "same-origin",
+  "origin",
+  "strict-origin",
+  "origin-when-cross-origin",
+  "strict-origin-when-cross-origin",
+  "unsafe-url"
 };
 
 
        
@@ -2340,7 +2839,7 @@ 
        
    
         This requires that CSS style sheets process `Referrer-Policy`
        headers, and store a referrer policy in the same way that Documents
-       do.
        
+       do.
        30.

      30. - Via the noreferrer link relation on an <{a}>, - <{area}>, or <{link}> element. + Via the noreferrer link relation on an <{a}>, or + <{area}> element.
      31. Implicitly, via inheritance.