Never send a referrer with hyperlink auditing pings

For same-origin pings, a ping request with a referrer might be mistaken as a trustable POST. We already don't include a referrer if the document containing the anchor is secure. Stripping the referrer for insecure, cross-origin pings makes the whole algorithm easier. PR: #712
whatwg · Feb 22, 2016 · faec3a5 · faec3a5
1 parent 56f5c5e
commit faec3a5
Showing 1 changed file with 10 additions and 17 deletions.
diff --git a/source b/source
@@ -21133,7 +21133,8 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> {
    the <code>Document</code> containing the <span>hyperlink</span>, <span
    data-x="concept-request-destination">destination</span> is "<code data-x="">subresource</code>",
    <span data-x="concept-request-credentials-mode">credentials mode</span> is "<code
-   data-x="">include</code>", and whose <span>use-URL-credentials flag</span> is set.</p></li>
+   data-x="">include</code>", <span data-x="concept-request-referrer">referrer</span> is "<code
+   data-x="">no-referrer</code>", and whose <span>use-URL-credentials flag</span> is set.</p></li>
 
    <li>
     <p>Let <var>target URL</var> is the <span>resulting URL string</span> obtained from <span
@@ -21148,32 +21149,24 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> {
      <dd><var>request</var> must include a `<code data-x="http-ping-from">Ping-From</code>` header
      with, as its value, the <span data-x="the document's address">address</span> of the document
      containing the hyperlink, and a `<code data-x="http-ping-to">Ping-To</code>` HTTP header with,
-     as its value, the <var>target URL</var>. <var>request</var>'s <span
-     data-x="concept-request-referrer">referrer</span> must be "<code data-x="">no-referrer</code>".
-     <!-- because otherwise it would look like a trustable same-origin POST --></dd>
+     as its value, the <var>target URL</var>.
+     </dd>
 
      <dt>Otherwise, if the origins are different, but the document containing the hyperlink being
      audited was not retrieved over an encrypted connection</dt>
 
-     <dd><var>request</var>'s <span data-x="concept-request-referrer">referrer</span> must be the
-     <span data-x="the document's address">address</span> of the document containing the hyperlink.
-     <var>request</var> must include a `<code data-x="http-ping-from">Ping-From</code>` header with
-     the same value, and a `<code data-x="http-ping-to">Ping-To</code>` HTTP header with, as its
-     value, <var>target URL</var>.</dd>
+     <dd>The <var>request</var> must include a `<code data-x="http-ping-from">Ping-From</code>`
+     header with the <span data-x="the document's address">address</span> of the document containing
+     the hyperlink as its value, and a `<code data-x="http-ping-to">Ping-To</code>` HTTP header
+     with, as its value, <var>target URL</var>.</dd>
 
      <dt>Otherwise, the origins are different and the document containing the hyperlink being
      audited was retrieved over an encrypted connection</dt>
 
      <dd><var>request</var> must include a `<code data-x="http-ping-to">Ping-To</code>` HTTP header
-     with, as its value, <var>target URL</var>. <var>request</var>'s <span
-     data-x="concept-request-referrer">referrer</span> must be "<code data-x="">no-referrer</code>".
-     <span class="note"><var>request</var> does not include a `<code
-     data-x="http-ping-from">Ping-From</code>` header.</span></dd>
+     with, as its value, <var>target URL</var>.  <span class="note"><var>request</var> does not
+     include a `<code data-x="http-ping-from">Ping-From</code>` header.</span></dd>
     </dl>
-
-    <p class="&#x0058;&#x0058;&#x0058;">These headers should be <a
-    href="https://github.com/w3c/webappsec/issues/469">subject to <cite>Referrer
-    Policy</cite></a>.</p>
    </li>
 
    <!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>