New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why no referrerpolicy="" on <script>? #96

Closed
domenic opened this Issue Feb 22, 2017 · 4 comments

Comments

Projects
None yet
5 participants
@domenic
Contributor

domenic commented Feb 22, 2017

It seems a bit strange that you can get it indirectly using <link rel="preload" referrerpolicy="..." href="..."> plus a later <script src="...">, but can't just do <script src="..." referrerpolicy="..."> directly.

@estark37

This comment has been minimized.

Show comment
Hide comment
@estark37

estark37 Feb 22, 2017

Collaborator

Huh, I actually thought we had the attribute on script tags, but I guess we don't.

As @jeisinger notes in #15 (comment), one can always modify the referrer via a ServiceWorker. Nevertheless, I think it would be reasonable to add the attribute on scripts.

Collaborator

estark37 commented Feb 22, 2017

Huh, I actually thought we had the attribute on script tags, but I guess we don't.

As @jeisinger notes in #15 (comment), one can always modify the referrer via a ServiceWorker. Nevertheless, I think it would be reasonable to add the attribute on scripts.

domenic added a commit to whatwg/html that referenced this issue Sep 14, 2017

Make integrity="" work on module scripts
The primary normative content of this commit is that it fixes #2382 by
passing the integrity metadata to the fetch call for the top-level
module script, in <script type=module>.

However, the way it does this is via a larger refactoring, which is
setting the stage for #2315. It creates a new struct, the script fetch
options, which is now shared by both module and classic scripts. Storing
this for classic scripts is not currently useful, but will be for #2315
when, via import(), classic scripts are able to import module scripts,
and need these fetch options to do so.

This will also be useful for when we revive #2383, as
<link rel=modulepreload> can have referrerpolicy="" specified on it,
which will need to be passed down. (It would also be useful if we ever
do w3c/webappsec-referrer-policy#96 and add
referrerpolicy="" to <script>.) With this structure in place, it's a
simple matter of adding a referrer policy item to the script fetch
options.

domenic added a commit to whatwg/html that referenced this issue Oct 3, 2017

Make integrity="" work on module scripts
The primary normative content of this commit is that it fixes #2382 by
passing the integrity metadata to the fetch call for the top-level
module script, in <script type=module>.

However, the way it does this is via a larger refactoring, which is
setting the stage for #2315. It creates a new struct, the script fetch
options, which is now shared by both module and classic scripts. Storing
this for classic scripts is not currently useful, but will be for #2315
when, via import(), classic scripts are able to import module scripts,
and need these fetch options to do so.

This will also be useful for when we revive #2383, as
<link rel=modulepreload> can have referrerpolicy="" specified on it,
which will need to be passed down. (It would also be useful if we ever
do w3c/webappsec-referrer-policy#96 and add
referrerpolicy="" to <script>.) With this structure in place, it's a
simple matter of adding a referrer policy item to the script fetch
options.

domenic added a commit to whatwg/html that referenced this issue Oct 3, 2017

Make integrity="" work on module scripts
The primary normative content of this commit is that it fixes #2382 by
passing the integrity metadata to the fetch call for the top-level
module script, in <script type=module>.

However, the way it does this is via a larger refactoring, which is
setting the stage for #2315. It creates a new struct, the script fetch
options, which is now shared by both module and classic scripts. Storing
this for classic scripts is not currently useful, but will be for #2315
when, via import(), classic scripts are able to import module scripts,
and need these fetch options to do so.

This will also be useful for when we revive #2383, as
<link rel=modulepreload> can have referrerpolicy="" specified on it,
which will need to be passed down. (It would also be useful if we ever
do w3c/webappsec-referrer-policy#96 and add
referrerpolicy="" to <script>.) With this structure in place, it's a
simple matter of adding a referrer policy item to the script fetch
options.
@jeisinger

This comment has been minimized.

Show comment
Hide comment
@jeisinger

jeisinger Nov 5, 2017

Member

agree that it's a reasonable attribute to add

Member

jeisinger commented Nov 5, 2017

agree that it's a reasonable attribute to add

@domfarolino

This comment has been minimized.

Show comment
Hide comment
@domfarolino

domfarolino May 8, 2018

Contributor

I'd like to take this on if that's OK. Seems like it'll only need HTML Standard changes. I can probably do the Chrome implementation too, but that's a different conversation.

Contributor

domfarolino commented May 8, 2018

I'd like to take this on if that's OK. Seems like it'll only need HTML Standard changes. I can probably do the Chrome implementation too, but that's a different conversation.

@king7777

This comment has been minimized.

Show comment
Hide comment
@king7777

king7777 commented May 14, 2018

Wad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment