Fix module script descendant referrer tests to match spec PR #22038
Conversation
wpt-pr-bot
requested review from
annevk,
foolip,
jdm,
jgraham,
zcorpan and
zqzhang
|
I think the request to
Not sure I understand. Does A.com/js do anything interesting? Is it the same as A.com/x.js? |
|
Sure, it could be equivalent to |
|
My understanding is that the following would happen: Here the redirect doesn't change anything: the final request to A.com/x.js is the same with/without the redirect (no generated A case where the redirect would change something is when some request in the chain is cross-origin solely due to a redirect. Like below: Here there is no |
|
Thanks @domfarolino. I think that looks okay. |
This PR fixes module script descendent referrer tests that I originally added in https://crrev.com/c/1809205. The tests I added match the spec, and we were going to change Chromium's implementation accordingly, however after more discussion in w3c/webappsec-referrer-policy#123, we're aiming to change the spec to be more sane.
This PR makes the module script descendant scripts tests assert that a descendant script's referrer string is used in determining if the request is same-origin or not. Currently the spec computes same-origin-ness by comparing request's currently URL and request's origin (which can be its client's origin). It does not consider the referrer string, which may be different than its client's origin, via module scripts. Consider:
In this case, the request for A.com/x.js's referrer string is B.com/x.js, but it's client's origin is A.com. The point of the HTML Standard setting the descendant's referrer string to its parent's URL is to make the parent behave as the referrer in this case, but the Referrer Policy spec didn't respect this. w3c/webappsec-referrer-policy#123 changes the Referrer Policy spec accordingly, and this PR considers the above request to be cross-origin (the descendant request is cross-origin relative its parent).