-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace referrer directive with Referrer-Policy header #14
Conversation
MUST execute [[#determine-policy-for-token]] on | ||
the <code>Referrer-Policy</code> header's value and then apply | ||
[[#determine-requests-referrer]] to set the <code>Referer</code> | ||
header when following the redirect. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be integrated into Fetch somehow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where somehow is probably stating what should be added to https://fetch.spec.whatwg.org/#http-fetch step 5.10
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The alternative might be to have a step similar to step 7 of https://fetch.spec.whatwg.org/#http-network-fetch. To make the header have an effect each time you get a response from the network and then use that as appropriate.
(It does seem a bit weird that a header used for setting policies for documents and workers also has an effect on redirects for requests of images and the like. But maybe that's okay. CSP seems to do something similar for cookies.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Following a redirect invokes main fetch (https://fetch.spec.whatwg.org/#concept-main-fetch), which in Step 6 calls into REFERRER determine-requests-referrer (https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer). Is it necessary to add steps to Fetch, given that Fetch already delegates to REFERRER to set the referrer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in HTTP-network fetch we want to have steps that handle processing the Referrer-Policy
header, which REFERRER would not have access to otherwise. Does that make sense?
I also don't see where the handling for multiple tokens is defined. |
Expanded the syntax to allow multiple tokens per @annevk's suggestion |
I think you misunderstood. The |
Hmm, well I think I do want the syntax to be semicolon-separated, not comma-separated ( Assuming I leave it as semicolon-separated, I should just add text to handle multiple header values then? |
@estark37: We had talked earlier about potentially supporting the syntax @briansmith suggested (e.g. " |
Regarding commas vs semicolons, this:
is equivalent to this (note the comma):
What would the difference between that and the following (note the semicolon) be?
The only reason to use semicolons instead of commas is if you need an additional level of grouping to subdivide comma-separated things. |
@mikewest: yeah, I am trying to leave room for that. What would the JSON syntax look like for CSP3? @briansmith: I was basically trying to copy off CSP, which is why I was going for semicolons. But I guess CSP is different...
has a different effect than
Whereas I think
should be the same as what I have written as |
friendly ping to @mikewest: are there any ideas written up anywhere for what CSP3 JSON syntax would look like? |
Nothing for CSP in particular, but http://greenbytes.de/tech/webdav/draft-reschke-http-jfv-latest.html is the draft describing the general notion that I'm considering. |
Well @jonathanKingston, was looking into (de)serialization of CSP policies into JSON at https://gist.github.com/jonathanKingston/5699b440f608960dc089 |
Ah, right. I forgot about that doc. Yeah, @jonathanKingston's writeup seems sane. Not sure about the merging bits, but that's a tangential discussion. Regardless, it might be reasonable to experiment with the |
Hello! I'm back with some revisions:
|
On that note, I'm slowly convincing myself that something like that proposal is the right way to go. Ilya and I are running with a JSON format in https://w3c.github.io/reporting/ and I don't feel bad about it. I don't think it's wonderful enough to justify a new syntax for CSP (barring some other breaking change), but I do plan on using it for /cc @mnot @reschke, who will hopefully be giving me some cover in the HTTP WG shortly. :) |
I think for this header that suggested integration with Fetch and HTML looks reasonable. There's also some changes we might have to consider around referrers and redirects if the current steps don't describe that accurately. |
Via the <code>referrer</code> Content Security Policy directive (defined | ||
in [[#directive-referrer]]), delivered via a | ||
<a href="https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element"><code><meta></code> element</a> | ||
[[!CSP2]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just to double-check, is it ok to drop the CSP delivery just like this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's y'all's spec. Do whatever you think makes sense.
In this case, we'll need to measure usage in Chrome and drop support after deprecation, but that's on us. The spec doesn't need to maintain the definition.
Replace referrer directive with Referrer-Policy header
Just seen this sorry.
Yeah the whole document is more for porting and merging JSON files which is somewhat unrelated to the CSP header.
I was hoping the OOB reporting would be enough to do this :(. The array header mechanism mentioned seems great: It would certainly be nice to have one less format and as @mikewest mentioned this can be mitigated by permitting the array JSON structure and quoting the keyword. |
@jeisinger @mikewest this specifies the simplest possible Referrer-Policy header, with the idea that we could extend the syntax later to be more complicated if necessary. Also an attempt to specify what happens when a Referrer-Policy header is received on a redirect response. What do you think?