Skip to content
Permalink
Browse files

REFERRER: Be a bit more specific about case-insensitivity.

  • Loading branch information...
mikewest committed Oct 20, 2014
1 parent 20d3903 commit a30ed4e5cded7f42bd5f5dfc65a194587f54ccd6
Showing with 38 additions and 22 deletions.
  1. +19 −11 specs/referrer-policy/index.html
  2. +19 −11 specs/referrer-policy/index.src.html
@@ -226,6 +226,13 @@ <h3 class="heading settled" data-level=2.2 id=terms-defined-by-reference><span c
of the Origin specification. <a data-biblio-type=normative data-link-type=biblio href=#biblio-rfc6454 title=RFC6454>[RFC6454]</a>
</dd>

<dt><dfn data-dfn-type=dfn data-noexport="" id=ascii-case-insensitive-match>ASCII case-insensitive match<a class=self-link href=#ascii-case-insensitive-match></a></dfn></dt>
<dd>
Two strings are an <strong>ASCII case-insensitive match</strong> if they
match according to the <a data-link-type=dfn href=http://dev.w3.org/csswg/css-syntax-3/#ascii-case-insensitive title="ASCII case-insensitive">ASCII case-insensitive</a> algorithm defined in
<a data-biblio-type=normative data-link-type=biblio href=#biblio-html5 title=HTML5>[HTML5]</a>;
</dd>

<dt><dfn data-dfn-type=dfn data-local-title=same-origin data-noexport="" id=same-origin-request>same-origin request<a class=self-link href=#same-origin-request></a></dfn></dt>
<dd>
A <a data-link-type=dfn href=#request title=request>request</a> is a <strong>same-origin request</strong> if the
@@ -502,8 +509,9 @@ <h2 class="heading settled" data-level=4 id=referrer-policy-delivery><span class
<h3 class="heading settled" data-level=4.1 id=referrer-policy-delivery-meta><span class=secno>4.1. </span><span class=content>Delivery via <a data-link-type=element href=https://html.spec.whatwg.org/#meta title=meta>meta</a></span><a class=self-link href=#referrer-policy-delivery-meta></a></h3>

<p>A referrer policy may be set when an HTML <code><a data-link-type=element href=https://html.spec.whatwg.org/#meta title=meta>meta</a></code>
element with a name attribute that is a case-insensitive match for the string
"<code>Referrer</code>" is inserted into a document, for example:</p>
element with a name attribute that is an <a data-link-type=dfn href=#ascii-case-insensitive-match title="ASCII case-insensitive match">ASCII case-insensitive match</a>
for the string "<code>Referrer</code>" is inserted into a document, for
example:</p>

<pre class=example>&lt;meta name="referrer" content="origin"&gt;
</pre>
@@ -901,26 +909,26 @@ <h3 class="heading settled" data-level=6.4 id=determine-policy-for-token><span c

<ol>
<li>
If <var>token</var> is a case-insensitive match for the strings
"<code>never</code>" or "<code>no-referrer</code>",
return <a data-link-type=dfn href=#no-referrer title="No Referrer"><code>No Referrer</code></a>.
If <var>token</var> is an <a data-link-type=dfn href=#ascii-case-insensitive-match title="ASCII case-insensitive match">ASCII case-insensitive match</a> for the
strings "<code>never</code>" or "<code>no-referrer</code>", return
<a data-link-type=dfn href=#no-referrer title="No Referrer"><code>No Referrer</code></a>.
</li>
<li>
If <var>token</var> is a case-insensitive match for the string
"<code>origin</code>", return <a data-link-type=dfn href=#origin title=Origin><code>Origin</code></a>.
If <var>token</var> is an <a data-link-type=dfn href=#ascii-case-insensitive-match title="ASCII case-insensitive match">ASCII case-insensitive match</a> for the
string "<code>origin</code>", return <a data-link-type=dfn href=#origin title=Origin><code>Origin</code></a>.
</li>
<li>
If <var>token</var> is a case-insensitive match for the string
If <var>token</var> is <a data-link-type=dfn href=#ascii-case-insensitive-match title="ASCII case-insensitive match">ASCII case-insensitive match</a> for the string
"<code>default</code>" or "<code>no-referrer-when-downgrade</code>",
return <a data-link-type=dfn href=#no-referrer-when-downgrade title="No Referrer When Downgrade"><code>No Referrer When Downgrade</code></a>.
</li>
<li>
If <var>token</var> is a case-insensitive match for the string
If <var>token</var> is <a data-link-type=dfn href=#ascii-case-insensitive-match title="ASCII case-insensitive match">ASCII case-insensitive match</a> for the string
"<code>origin-when-crossorigin</code>", return
<a data-link-type=dfn href=#origin-when-cross-origin title="Origin When Cross-Origin"><code>Origin When Cross-Origin</code></a>.
</li>
<li>
If <var>token</var> is a case-insensitive match for the strings
If <var>token</var> is <a data-link-type=dfn href=#ascii-case-insensitive-match title="ASCII case-insensitive match">ASCII case-insensitive match</a> for the strings
"<code>always</code>" or "<code>unsafe-url</code>",
return <a data-link-type=dfn href=#unsafe-url title="Unsafe URL"><code>Unsafe URL</code></a>.
</li>
@@ -1008,4 +1016,4 @@ <h3 class="no-ref no-num heading settled" id=conformance-classes><span class=con



<h2 class="no-num heading settled" id=references><span class=content>References</span><a class=self-link href=#references></a></h2><h3 class="no-num heading settled" id=normative><span class=content>Normative References</span><a class=self-link href=#normative></a></h3><dl><dt id=biblio-csp title=CSP><a class=self-link href=#biblio-csp></a>[CSP]<dd>Brandon Sterne; Adam Barth. <a href=http://www.w3.org/TR/CSP/>Content Security Policy 1.0</a>. 15 November 2012. CR. URL: <a href=http://www.w3.org/TR/CSP/>http://www.w3.org/TR/CSP/</a><dt id=biblio-ecma-262 title=ECMA-262><a class=self-link href=#biblio-ecma-262></a>[ECMA-262]<dd>???. <a href=http://www.ecma-international.org/publications/standards/Ecma-262.htm>ECMAScript Language Specification, Edition 5.1</a>. June 2011. URL: <a href=http://www.ecma-international.org/publications/standards/Ecma-262.htm>http://www.ecma-international.org/publications/standards/Ecma-262.htm</a><dt id=biblio-fetch title=FETCH><a class=self-link href=#biblio-fetch></a>[FETCH]<dd>Anne van Kesteren. <a href=http://fetch.spec.whatwg.org/>Fetch</a>. Living Standard. URL: <a href=http://fetch.spec.whatwg.org/>http://fetch.spec.whatwg.org/</a><dt id=biblio-mix title=MIX><a class=self-link href=#biblio-mix></a>[MIX]<dd>Mike West. <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>Mixed Content</a>. ED. URL: <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>https://w3c.github.io/webappsec/specs/mixedcontent/</a><dt id=biblio-rfc6454 title=RFC6454><a class=self-link href=#biblio-rfc6454></a>[RFC6454]<dd>Adam Barth. <a href=http://www.ietf.org/rfc/rfc6454.txt>The Web Origin Concept</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6454.txt>http://www.ietf.org/rfc/rfc6454.txt</a><dt id=biblio-rfc7231 title=RFC7231><a class=self-link href=#biblio-rfc7231></a>[RFC7231]<dd>Roy T. Fielding; Julian F. Reschke. <a href=http://www.ietf.org/rfc/rfc7231.txt>HTTP/1.1 Semantics and Content</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc7231.txt>http://www.ietf.org/rfc/rfc7231.txt</a><dt id=biblio-url title=URL><a class=self-link href=#biblio-url></a>[URL]<dd>Anne van Kesteren. <a href=http://url.spec.whatwg.org/>URL</a>. Living Standard. URL: <a href=http://url.spec.whatwg.org/>http://url.spec.whatwg.org/</a><dt id=biblio-html5 title=html5><a class=self-link href=#biblio-html5></a>[html5]<dd>Robin Berjon; et al. <a href=http://www.w3.org/TR/html5/>HTML5</a>. 16 September 2014. PR. URL: <a href=http://www.w3.org/TR/html5/>http://www.w3.org/TR/html5/</a><dt id=biblio-rfc2119 title=rfc2119><a class=self-link href=#biblio-rfc2119></a>[rfc2119]<dd>S. Bradner. <a href=http://www.ietf.org/rfc/rfc2119.txt>Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href=http://www.ietf.org/rfc/rfc2119.txt>http://www.ietf.org/rfc/rfc2119.txt</a><dt id=biblio-workers title=workers><a class=self-link href=#biblio-workers></a>[workers]<dd>Ian Hickson. <a href=http://www.w3.org/TR/workers/>Web Workers</a>. 1 May 2012. CR. URL: <a href=http://www.w3.org/TR/workers/>http://www.w3.org/TR/workers/</a><dt id=biblio-wsc-ui title=wsc-ui><a class=self-link href=#biblio-wsc-ui></a>[wsc-ui]<dd>Thomas Roessler; Anil Saldhana. <a href=http://www.w3.org/TR/wsc-ui/>Web Security Context: User Interface Guidelines</a>. 12 August 2010. REC. URL: <a href=http://www.w3.org/TR/wsc-ui/>http://www.w3.org/TR/wsc-ui/</a></dl><h3 class="no-num heading settled" id=informative><span class=content>Informative References</span><a class=self-link href=#informative></a></h3><dl><dt id=biblio-capability-urls title=CAPABILITY-URLS><a class=self-link href=#biblio-capability-urls></a>[CAPABILITY-URLS]<dd>Jenni Tennison. <a href=http://www.w3.org/TR/capability-urls/>Capability URLs</a>. WD. URL: <a href=http://www.w3.org/TR/capability-urls/>http://www.w3.org/TR/capability-urls/</a></dl><h2 class="no-num heading settled" id=index><span class=content>Index</span><a class=self-link href=#index></a></h2><ul class=indexlist><li>API referrer source, <a href=#api-referrer-source title="section 2.2">2.2</a><li>a priori insecure origin, <a href=#a-priori-insecure-origin title="section 2.2">2.2</a><li>ASCII serialization of an origin, <a href=#ascii-serialization-of-an-origin title="section 2.2">2.2</a><li>client, <a href=#request-client title="section 2.2">2.2</a><li>conformant server, <a href=#conformant-server title="section Unnumbered section">Unnumbered section</a><li>conformant user agent, <a href=#conformant-user-agent title="section Unnumbered section">Unnumbered section</a><li>context, <a href=#request-context title="section 2.2">2.2</a><li>cross-origin, <a href=#cross-origin-request title="section 2.2">2.2</a><li>cross-origin request, <a href=#cross-origin-request title="section 2.2">2.2</a><li>document environment, <a href=#document-environment title="section 2.2">2.2</a><li>Entry settings object, <a href=#entry-settings-object title="section 2.2">2.2</a><li>fetch, <a href=#fetch title="section 2.2">2.2</a><li>global environment, <a href=#javascript-global-environment title="section 2.2">2.2</a><li>global object, <a href=#global-object title="section 2.2">2.2</a><li>JavaScript global environment, <a href=#javascript-global-environment title="section 2.2">2.2</a><li>No Referrer, <a href=#no-referrer title="section 3.1">3.1</a><li>noreferrer, <a href=#noreferrer title="section 2.2">2.2</a><li>No Referrer When Downgrade, <a href=#no-referrer-when-downgrade title="section 3.2">3.2</a><li>origin, <a href=#origin title="section 2.2">2.2</a><li>Origin Only, <a href=#origin-only title="section 3.3">3.3</a><li>origin-only flag, <a href=#origin-only-flag title="section 6.3">6.3</a><li>Origin When Cross-Origin, <a href=#origin-when-cross-origin title="section 3.4">3.4</a><li>policy, <a href=#referrer-policy title="section 2.1">2.1</a><li>Referer, <a href=#referer-http-header-field title="section 2.2">2.2</a><li>Referer header, <a href=#referer-http-header-field title="section 2.2">2.2</a><li>Referer HTTP header field, <a href=#referer-http-header-field title="section 2.2">2.2</a><li>referrer policy, <a href=#referrer-policy title="section 2.1">2.1</a><li>relative scheme, <a href=#relative-scheme title="section 2.2">2.2</a><li>request, <a href=#request title="section 2.2">2.2</a><li>request client, <a href=#request-client title="section 2.2">2.2</a><li>request context, <a href=#request-context title="section 2.2">2.2</a><li>runs a worker, <a href=#runs-a-worker title="section 2.2">2.2</a><li>same-origin, <a href=#same-origin-request title="section 2.2">2.2</a><li>same-origin request, <a href=#same-origin-request title="section 2.2">2.2</a><li>TLS-protected, <a href=#tls-protected title="section 2.2">2.2</a><li>Unsafe URL, <a href=#unsafe-url title="section 3.5">3.5</a><li>worker environment, <a href=#worker-environment title="section 2.2">2.2</a></ul><h2 class="no-num heading settled" id=issues-index><span class=content>Issues Index</span><a class=self-link href=#issues-index></a></h2><div style=counter-reset:issue><div class=issue>What about service workers?<a href=#issue-d46e3fb1> ↵ </a></div></div>
<h2 class="no-num heading settled" id=references><span class=content>References</span><a class=self-link href=#references></a></h2><h3 class="no-num heading settled" id=normative><span class=content>Normative References</span><a class=self-link href=#normative></a></h3><dl><dt id=biblio-csp title=CSP><a class=self-link href=#biblio-csp></a>[CSP]<dd>Brandon Sterne; Adam Barth. <a href=http://www.w3.org/TR/CSP/>Content Security Policy 1.0</a>. 15 November 2012. CR. URL: <a href=http://www.w3.org/TR/CSP/>http://www.w3.org/TR/CSP/</a><dt id=biblio-ecma-262 title=ECMA-262><a class=self-link href=#biblio-ecma-262></a>[ECMA-262]<dd>???. <a href=http://www.ecma-international.org/publications/standards/Ecma-262.htm>ECMAScript Language Specification, Edition 5.1</a>. June 2011. URL: <a href=http://www.ecma-international.org/publications/standards/Ecma-262.htm>http://www.ecma-international.org/publications/standards/Ecma-262.htm</a><dt id=biblio-fetch title=FETCH><a class=self-link href=#biblio-fetch></a>[FETCH]<dd>Anne van Kesteren. <a href=http://fetch.spec.whatwg.org/>Fetch</a>. Living Standard. URL: <a href=http://fetch.spec.whatwg.org/>http://fetch.spec.whatwg.org/</a><dt id=biblio-mix title=MIX><a class=self-link href=#biblio-mix></a>[MIX]<dd>Mike West. <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>Mixed Content</a>. ED. URL: <a href=https://w3c.github.io/webappsec/specs/mixedcontent/>https://w3c.github.io/webappsec/specs/mixedcontent/</a><dt id=biblio-rfc6454 title=RFC6454><a class=self-link href=#biblio-rfc6454></a>[RFC6454]<dd>Adam Barth. <a href=http://www.ietf.org/rfc/rfc6454.txt>The Web Origin Concept</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc6454.txt>http://www.ietf.org/rfc/rfc6454.txt</a><dt id=biblio-rfc7231 title=RFC7231><a class=self-link href=#biblio-rfc7231></a>[RFC7231]<dd>Roy T. Fielding; Julian F. Reschke. <a href=http://www.ietf.org/rfc/rfc7231.txt>HTTP/1.1 Semantics and Content</a>. RFC. URL: <a href=http://www.ietf.org/rfc/rfc7231.txt>http://www.ietf.org/rfc/rfc7231.txt</a><dt id=biblio-url title=URL><a class=self-link href=#biblio-url></a>[URL]<dd>Anne van Kesteren. <a href=http://url.spec.whatwg.org/>URL</a>. Living Standard. URL: <a href=http://url.spec.whatwg.org/>http://url.spec.whatwg.org/</a><dt id=biblio-html5 title=html5><a class=self-link href=#biblio-html5></a>[html5]<dd>Robin Berjon; et al. <a href=http://www.w3.org/TR/html5/>HTML5</a>. 16 September 2014. PR. URL: <a href=http://www.w3.org/TR/html5/>http://www.w3.org/TR/html5/</a><dt id=biblio-rfc2119 title=rfc2119><a class=self-link href=#biblio-rfc2119></a>[rfc2119]<dd>S. Bradner. <a href=http://www.ietf.org/rfc/rfc2119.txt>Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href=http://www.ietf.org/rfc/rfc2119.txt>http://www.ietf.org/rfc/rfc2119.txt</a><dt id=biblio-workers title=workers><a class=self-link href=#biblio-workers></a>[workers]<dd>Ian Hickson. <a href=http://www.w3.org/TR/workers/>Web Workers</a>. 1 May 2012. CR. URL: <a href=http://www.w3.org/TR/workers/>http://www.w3.org/TR/workers/</a><dt id=biblio-wsc-ui title=wsc-ui><a class=self-link href=#biblio-wsc-ui></a>[wsc-ui]<dd>Thomas Roessler; Anil Saldhana. <a href=http://www.w3.org/TR/wsc-ui/>Web Security Context: User Interface Guidelines</a>. 12 August 2010. REC. URL: <a href=http://www.w3.org/TR/wsc-ui/>http://www.w3.org/TR/wsc-ui/</a></dl><h3 class="no-num heading settled" id=informative><span class=content>Informative References</span><a class=self-link href=#informative></a></h3><dl><dt id=biblio-capability-urls title=CAPABILITY-URLS><a class=self-link href=#biblio-capability-urls></a>[CAPABILITY-URLS]<dd>Jenni Tennison. <a href=http://www.w3.org/TR/capability-urls/>Capability URLs</a>. WD. URL: <a href=http://www.w3.org/TR/capability-urls/>http://www.w3.org/TR/capability-urls/</a></dl><h2 class="no-num heading settled" id=index><span class=content>Index</span><a class=self-link href=#index></a></h2><ul class=indexlist><li>API referrer source, <a href=#api-referrer-source title="section 2.2">2.2</a><li>a priori insecure origin, <a href=#a-priori-insecure-origin title="section 2.2">2.2</a><li>ASCII case-insensitive match, <a href=#ascii-case-insensitive-match title="section 2.2">2.2</a><li>ASCII serialization of an origin, <a href=#ascii-serialization-of-an-origin title="section 2.2">2.2</a><li>client, <a href=#request-client title="section 2.2">2.2</a><li>conformant server, <a href=#conformant-server title="section Unnumbered section">Unnumbered section</a><li>conformant user agent, <a href=#conformant-user-agent title="section Unnumbered section">Unnumbered section</a><li>context, <a href=#request-context title="section 2.2">2.2</a><li>cross-origin, <a href=#cross-origin-request title="section 2.2">2.2</a><li>cross-origin request, <a href=#cross-origin-request title="section 2.2">2.2</a><li>document environment, <a href=#document-environment title="section 2.2">2.2</a><li>Entry settings object, <a href=#entry-settings-object title="section 2.2">2.2</a><li>fetch, <a href=#fetch title="section 2.2">2.2</a><li>global environment, <a href=#javascript-global-environment title="section 2.2">2.2</a><li>global object, <a href=#global-object title="section 2.2">2.2</a><li>JavaScript global environment, <a href=#javascript-global-environment title="section 2.2">2.2</a><li>No Referrer, <a href=#no-referrer title="section 3.1">3.1</a><li>noreferrer, <a href=#noreferrer title="section 2.2">2.2</a><li>No Referrer When Downgrade, <a href=#no-referrer-when-downgrade title="section 3.2">3.2</a><li>origin, <a href=#origin title="section 2.2">2.2</a><li>Origin Only, <a href=#origin-only title="section 3.3">3.3</a><li>origin-only flag, <a href=#origin-only-flag title="section 6.3">6.3</a><li>Origin When Cross-Origin, <a href=#origin-when-cross-origin title="section 3.4">3.4</a><li>policy, <a href=#referrer-policy title="section 2.1">2.1</a><li>Referer, <a href=#referer-http-header-field title="section 2.2">2.2</a><li>Referer header, <a href=#referer-http-header-field title="section 2.2">2.2</a><li>Referer HTTP header field, <a href=#referer-http-header-field title="section 2.2">2.2</a><li>referrer policy, <a href=#referrer-policy title="section 2.1">2.1</a><li>relative scheme, <a href=#relative-scheme title="section 2.2">2.2</a><li>request, <a href=#request title="section 2.2">2.2</a><li>request client, <a href=#request-client title="section 2.2">2.2</a><li>request context, <a href=#request-context title="section 2.2">2.2</a><li>runs a worker, <a href=#runs-a-worker title="section 2.2">2.2</a><li>same-origin, <a href=#same-origin-request title="section 2.2">2.2</a><li>same-origin request, <a href=#same-origin-request title="section 2.2">2.2</a><li>TLS-protected, <a href=#tls-protected title="section 2.2">2.2</a><li>Unsafe URL, <a href=#unsafe-url title="section 3.5">3.5</a><li>worker environment, <a href=#worker-environment title="section 2.2">2.2</a></ul><h2 class="no-num heading settled" id=issues-index><span class=content>Issues Index</span><a class=self-link href=#issues-index></a></h2><div style=counter-reset:issue><div class=issue>What about service workers?<a href=#issue-d46e3fb1> ↵ </a></div></div>
Oops, something went wrong.

0 comments on commit a30ed4e

Please sign in to comment.
You can’t perform that action at this time.