Skip to content
Permalink
Browse files

Integrate with the Referrer Policy spec, part 2 of n

This makes getting the referrer policy a first-class citizen of the
environment settings object algorithm set. WorkerGlobalScopes and
Documents both get referrer policies, and the process by which the
header or meta element set these is spelled out explicitly. This
includes tricky cases like navigation and <iframe>s, which the Referrer
Policy spec currently handles with (somewhat incomplete and incorrect)
monkeypatches.

Closes the following Referrer Policy issues:

- w3c/webappsec-referrer-policy#30
- w3c/webappsec-referrer-policy#32
  • Loading branch information...
domenic committed May 17, 2016
1 parent 89fbb33 commit 176e74243c649b709b9959b7d08b327290c2f403
Showing with 74 additions and 24 deletions.
  1. +74 −24 source
98 source
<li><dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#url-cannot-be-a-base-url-flag">cannot-be-a-base-URL flag</dfn>
</ul>
</li>
<li>A <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#local-scheme">local scheme</dfn>
<li>A <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#network-scheme">network scheme</dfn>
<li>The <dfn data-noexport="" data-x="concept-url-serialiser" data-x-href="https://url.spec.whatwg.org/#concept-url-serializer">URL serialiser</dfn>
<li>The <dfn data-noexport="" data-x-href="https://url.spec.whatwg.org/#concept-host-parser">host parser</dfn>
<dfn data-x="referrerpolicy-origin-when-cross-origin" data-x-href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-origin-when-cross-origin">"<code>origin-when-cross-origin</code>"</dfn>, and
<dfn data-x="referrerpolicy-unsafe-url" data-x-href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-unsafe-url">"<code>unsafe-url</code>"</dfn> policies</li>
<li>The `<dfn data-x="http-referrer-policy" data-x-href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header-dfn"><code>Referrer-Policy</code></dfn>` HTTP header</li>
<li>The <dfn data-x="parse-referrer-policy-header" data-x-href="https://w3c.github.io/webappsec-referrer-policy/#parse-referrer-policy-from-header">parse a referrer policy from a `<code>Referrer-Policy</code>` header</dfn> algorithm</li>
<li>The <dfn data-x="concept-determine-referrer-policy" data-x-href="https://w3c.github.io/webappsec-referrer-policy/#determine-policy-for-token">determine the referrer policy</dfn> algorithm</li>
<li>The <dfn data-x-href="https://w3c.github.io/webappsec-referrer-policy/#set-referrer-policy">set the referrer policy</dfn> algorithm</li>
</ul>

<p>The following terms are defined in <cite>Mixed Content</cite>: <ref spec=MIX></p>
<li><p>First, the presence of a <code data-x="rel-noreferrer">noreferrer</code> link
type;</p></li>
<li><p>Then, the value of a <span>referrer policy attribute</span>;</p></li>
<li><p>Finally, a global policy, delivered via the `<code
data-x="http-referrer-policy">Referrer-Policy</code>` header or a <code>meta</code> element with
<code data-x="attr-meta-name">name</code> attribute set to <code
<li><p>Then, the presence of any <code>meta</code> element with <code
data-x="attr-meta-name">name</code> attribute set to <code
data-x="meta-referrer">referrer</code>.</p></li>
<li><p>Finally, the `<code data-x="http-referrer-policy">Referrer-Policy</code>` HTTP
header.</p></li>
</ol>
</div>

<li><p>Let <var>HTTPS state</var> be the <span data-x="concept-document-https-state">HTTPS
state</span> of the <span>browsing context</span>'s <span>active document</span>.</p></li>

<li><p>Let <var>referrer policy</var> be the <span
data-x="concept-document-referrer-policy">referrer policy</span> of the <span>browsing
context</span>'s <span>active document</span>.</p></li>

<li><p>Let <var>CSP list</var> be the <span data-x="concept-document-csp-list">CSP list</span>
of the <span>browsing context</span>'s <span>active document</span>.</p></li>

<p><span>Navigate</span><!--DONAV reload after d.open()--> the <span>browsing context</span> to
a new <span data-x="concept-response">response</span> whose <span
data-x="concept-response-body">body</span> is <var>source</var>, <span
data-x="concept-response-header-list">header list</span> is `<code
data-x="http-referrer-policy">Referrer-Policy</code>`/<var>referrer policy</var>, <span
data-x="concept-response-csp-list">CSP list</span> is <var>CSP list</var> and <span
data-x="concept-response-https-state">HTTPS state</span> is <var>HTTPS state</var>, with the
<var><span>exceptions enabled flag</span></var> set and <span>replacement enabled</span>. The
(an <span>HTTPS state value</span>), initially "<code data-x="">none</code>", which represents the
security properties of the network channel used to deliver the <code>Document</code>'s data.</p>

<p>The <code>Document</code> has a <dfn data-x="concept-document-referrer-policy">referrer
policy</dfn> (a <span>referrer policy</span>), initially the empty string, which represents the
default <span>referrer policy</span> used by <span data-x="concept-fetch">fetches</span>
initiated by the <code>Document</code>.</p>

<p>The <code>Document</code> has a <dfn data-x="concept-document-csp-list">CSP list</dfn>, which is a
list of <span>Content Security Policy</span> objects active in this context. The list is empty
unless otherwise specified.</p>
data-x="concept-determine-referrer-policy">determining the policy</span> for
<var>value</var>.</p></li>

<li><p>If <var>policy</var> is not the empty string, then <span>Set the referrer
policy</span> for <var>element</var>'s <span>node document</span>'s <span>relevant settings
object</span> to <var>policy</var>, and abort this algorithm.</p></li>
<li><p>If <var>policy</var> is not the empty string, then set <var>element</var>'s
<span>node document</span>'s <span data-x="concept-document-referrer-policy">referrer
policy</span> to <var>policy</var>, and abort this algorithm.</p></li>
</ol>
</li>
</ol>
a new <span data-x="concept-response">response</span> whose <span
data-x="concept-response-url-list">url list</span> consists of <code>about:srcdoc</code>, <span
data-x="concept-response-header-list">header list</span> consists of
`<code data-x="">Content-Type</code>`/`<code>text/html</code>`, <span
data-x="concept-response-body">body</span> is the value of the attribute, <span
data-x="concept-response-csp-list">CSP list</span> is the <span
`<code data-x="">Content-Type</code>`/`<code>text/html</code>` and `<code
data-x="http-referrer-policy">Referrer-Policy</code>`/the <code>iframe</code> element's
<span>node document</span>'s <span data-x="concept-document-referrer-policy">referrer
policy</span>, <span data-x="concept-response-body">body</span> is the value of the attribute,
<span data-x="concept-response-csp-list">CSP list</span> is the <span
data-x="concept-document-csp-list">CSP list</span> of the <code>iframe</code> element's <span>node
document</span>, and <span data-x="concept-response-https-state">HTTPS state</span> is the <span
document</span>, <span data-x="concept-response-https-state">HTTPS state</span> is the <span
data-x="concept-document-https-state">HTTPS state</span> of the <code>iframe</code> element's
<span>node document</span>.

<span>browsing context</span> has no <span>creator browsing context</span>.</p>

<p>If a <span>browsing context</span> <var>A</var> has a <span>creator browsing
context</span>, then the <dfn>creator origin</dfn>, <dfn>creator URL</dfn>, and <dfn>creator base
URL</dfn> are the <span>origin</span>, <span data-x="concept-document-url">URL</span>, and <span
data-x="document base URL">base URL</span>, respectively, of the <code>Document</code> that was
the <span>active document</span> of that <span>creator browsing context</span> at the time
<var>A</var> was created.</p>
context</span>, then the <dfn>creator origin</dfn>, <dfn>creator URL</dfn>, <dfn>creator base
URL</dfn>, and <dfn>creator referrer policy</dfn> are the <span>origin</span>, <span
data-x="concept-document-url">URL</span>, <span data-x="document base URL">base URL</span>, and
<span data-x="concept-document-referrer-policy">referrer policy</span>, respectively, of the
<code>Document</code> that was the <span>active document</span> of that <span>creator browsing
context</span> at the time <var>A</var> was created.</p>

<div w-nodev>

set <var>document</var>'s <span data-x="the document's referrer">referrer</span> to the
<span>creator URL</span>.</p></li>

<li><p>If the new <span>browsing context</span> has a <span>creator browsing context</span>, then
set <var>document</var>'s <span data-x="concept-document-referrer-policy">referrer policy</span>
to the <span>creator referrer policy</span>.</p></li>

<li><p>Ensure that <var>document</var> has a single child <code>html</code> node, which itself
has two empty child nodes: a <code>head</code> element, and a <code>body</code>
element.</p></li>
<p>Otherwise, the result of obtaining the resource for the URL is a <span
data-x="concept-response">response</span> whose <span
data-x="concept-response-header-list">header list</span> consists of <code
data-x="">Content-Type</code>/<code>text/html</code>, whose <span
data-x="concept-response-body">body</span> is <var>result</var>, and whose <span
data-x="concept-response-https-state">HTTPS state</span> is <var>settings</var>'s
<span>HTTPS state</span>.</p>
data-x="">Content-Type</code>/<code>text/html</code> and `<code
data-x="http-referrer-policy">Referrer-Policy</code>`/<var>settings</var>'s <span>referrer
policy</span>, whose <span data-x="concept-response-body">body</span> is <var>result</var>,
and whose <span data-x="concept-response-https-state">HTTPS state</span> is
<var>settings</var>'s <span>HTTPS state</span>.</p>

<p class="warning">The exact conversion between the JavaScript string <var>result</var> and
the bytes that comprise a <span data-x="concept-response-body">response body</span> is
<var>window</var>.</p></li>

<li><p>Set the <code>Document</code>'s <span data-x="concept-document-https-state">HTTPS
state</span> to the <span data-x="concept-response-https-state">HTTPS state</span> of the
resource used to generate the document.</p></li>
state</span> to the <span data-x="concept-response-https-state">HTTPS state</span> of the <span
data-x="concept-response">response</span> used to generate the document.</p></li>

<li><p>Set the <code>Document</code>'s <span data-x="concept-document-referrer-policy">referrer
policy</span> to the result of <span data-x="parse-referrer-policy-header">parsing the
`<code>Referrer-Policy</code>` header</span> of the <span
data-x="concept-response">response</span> used to generate the document. <ref
spec="REFERRERPOLICY"></p></li>

<li><p>Execute the <span>Initialize a <code data-x="">Document</code>'s CSP list</span>
algorithm on the <code>Document</code> object and the resource used to generate the document.
<ref spec="CSP"></p>
algorithm on the <code>Document</code> object and the <span
data-x="concept-response">response</span> used to generate the document. <ref spec="CSP"></p>

<li><p>Set <span>the document's referrer</span> to the <i>address of the resource from which
Request-URIs are obtained</i> as determined when the fetch algorithm obtained the resource, if
channel used to deliver the resource with which the <span>environment settings object</span> is
associated.</p></dd>

<dt>A <span>referrer policy</span></dt>

<dd><p>The default <span>referrer policy</span> for <span data-x="concept-fetch">fetches</span>
performed using this <span>environment settings object</span> as a <span
data-x="concept-request-client">request client</span>. <ref spec=REFERRERPOLICY>

</dl>

<p>An <span>environment settings object</span> also has an <dfn>outstanding rejected promises
data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-https-state">HTTPS state</dfn>
(an <span>HTTPS state value</span>). It is initially "<code data-x="">none</code>".

<p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-export=""
data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-referrer-policy">referrer
policy</dfn> (a <span>referrer policy</span>). It is initially the empty string.

<p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-export=""
data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-csp-list">CSP list</dfn>. It is
initially an empty list.
data-x="concept-WorkerGlobalScope-https-state">HTTPS state</span> to <var>response</var>'s
<span data-x="concept-response-https-state">HTTPS state</span>.</p></li>

<li><p>Set <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-referrer-policy">referrer policy</span> to the result of
<span data-x="parse-referrer-policy-header">parsing the `<code>Referrer-Policy</code>`
header</span> of <var>response</var>.</p></li>

<li><p>Execute the <span>Initialize a <code data-x="">global object</code>'s CSP list</span>
algorithm on <var>worker global scope</var> and <var>response</var>. <ref spec="CSP"></p></li>


</dd>

<dt>The <span>referrer policy</span></dt>
<dd>

<p>Return <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-referrer-policy">referrer policy</span>.</p>

</dd>

</dl>

</li>

0 comments on commit 176e742

Please sign in to comment.
You can’t perform that action at this time.